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(54) Electronic watermarking method, electronic Information distribution system, image filling 
apparatus and storage medium therefor 



(57) An electronic information distribution system 
that exchanges data across a network at the least com- 
prises a first entity, including first encryption means, for 
performing a first encryption process for the original 
data, a second entity, including management distribu- 
tion means for, at the least, either managing or distribut- 
ing the data that are provided by the first encryption 

FIG. 4 



process, and including electronic watermark embedding 
means for embedding an electronic watermark in the 
data, and a third entity, including second encryption 
means for performing a second encryption of the data in 
which an electronic watermark is embedded. 
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Description 

[0001] The present invention relates to an electronic 
watermarking method, an electronic information distri- 
bution system, an image filing apparatus, and a storage s 
medium on which the steps for performing the electronic 
watermarking method are stored so that they can be 
read by a computer. In particular, the present invention 
pertains to an electronic watermarking method for pro- 
tecting copyrights for digital information, such as moving w 
image data, static image data, audio data, computer 
data and computer programs, an electronic information 
distribution system, such as a multimedia network sys- 
tem, for distributing digital information by using the elec- 
tronic watermarking method, an image filing apparatus is 
that employs the electronic watermarking method, and 
a storage medium on which steps for performing the 
electronic watermarking method are stored so that they 
can be read by a computer. 

[0002] As a consequence of recent developments 20 
concerning computer networks and the availability of 
inexpensive high-performance computers, electronic 
transactions for trading in products across a network 
have become popular. Products for such transactions 
can be digital data, to include pictures, for example. 25 
[0003] However, since a large number of complete 
copies of digital data can easily be prepared, a user who 
purchases digital data would be able to illegally prepare 
copies having the same quality as the original, and 
could then distribute the copied data. As a result, a war- so 
rantable price would not be paid to the owner of the cop- 
yright for the digital data or to a person (hereinafter 
referred to as a "seller") by whom sale of the digital data 
is authorized by the copyright owner, and an infringe- 
ment of the copyright would occur. 35 
[0004] Once a copyright holder or a seller (hereinafter 
a person who legally distributes digital data is generally 
called a "server") has transmitted digital data to a user, 
full protection against the illegal copying of the data is 
not possible. 40 
[0005] Therefore, an electronic watermark technique 
has been proposed for use instead of a method for the 
direct prevention of illegal copying. According to the 
electronic watermark technique, a specific process is 
performed for the original digital data and copyright 45 
information concerning the digital data, or user informa- 
tion, is embedded in the digital data. Thus, when an ille- 
gal copy of the digital data is discovered, the person 
who distributed the copied data can be identified. 
[0006] in a conventional electronic watermark system, so 
a server is assumed to be fully trustworthy. Therefore, if 
a server in a conventional system is not trustworthy and 
should engage in some sort of illegal distribution activ- 
ity, a user who has committed no crime could be falsely 
accused of illegally copying data. ss 
[0007] This occurs because in a conventional elec- 
tronic watermark system, as is shown in Fig. 1 when a 
server embeds user information dl for identifying a user 



in digital data g (in the following explanation image data 
are employed as the digital data), which is distributed to 
the user, and thereafter, without the permission of the 
user, makes a further distribution of the data containing 
the user's identification data, there is no way the user 
can refute an accusation by the server, even though in 
this instance it is the server that performed an illegal act. 
[0008] As a countermeasure, a system (Fig. 2) using 
a public key encryption method has been proposed. 
[0009] According to the public key encryption method, 
an encryption key and a decryption key differ, with the 
encryption key being used as a public key while the 
decryption key is used as a secret key. RSA encryption 
and E1Gama1 encryption are typical, well known public 
key encryption system examples. 
[0010] An explanation will be given for (a) features of 
a public key encryption system and (b) protocols for 
secret communications and authenticated communica- 
tions. 

(a) Features of public key encryption 
[0011] 

(1) Since an encryption key and a decryption key 
differ, and since the encryption key can be pub- 
lished, a secret delivery process is not required for 
the encryption key and its distribution is easy. 

(2) Since the encryption keys of users are pub- 
lished, users need only provide for the secret stor- 
age of their decryption keys. 

(3) An authentication function can be provided with 
which a recipient can verify that the sender of a 
message is not perpetrating a fraud and that the 
received message has not been altered. 

(b) Protocols for public key encryption 

[0012] For example, when E (kp, M) denotes an 
encryption operation for a message M that uses a public 
encryption key kp, and D (ks, M) denotes a decryption 
operation for a message M that uses a secret decryp- 
tion key ks, the public key encryption algorithm satisfies 
the following two conditions. 

(1) The calculations for the encryption E (kp, M) can 
be performed easily using the encryption key kp 
that is provided, and the calculations for the decryp- 
tion D (ks, M) can also be performed easily using 
the decryption key ks that is provided. 

(2) So long as a user does not know the decryption 
key ks, even if the user knows the encryption key kp 
and the calculation procedures for the encryption of 
E (kp, M), and that the encrypted message 
C = E (kp, M) , the user can not ascertain what is 
contained in the message M because a large 
number of calculations are required. 

When, in addition to the conditions (1) and (2), 
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the following condition (3) is established, the secret 
communication function can be implemented. 

(3) The encryption E (kp, M) can be defined for all 
the messages (plain text) M, and 

5 

D (ks, E (kp, M)) m M 

is established. That is, anyone can perform the cal- 
culations for the encryption E (kp, M) using the pub- 
lic encryption key kp, but only a user who has the 10 
secret decryption key ks can perform the calcula- 
tions for the decryption process D (ks, E (kp, M)) to 
obtain the contents of message M. 

When, in addition to the above conditions (1) 
and (2), the following condition (4) is established 15 
the authenticated communication function can be 
implemented. 

(4) The decryption process D (ks, M) can be 
defined for alt the (plain text) messages M, and 

20 

E (kp, D (ks, M)) = M 

is established. That is, only a user who has the 
secret decryption key ks can perform the calcula- 
tions for the decryption process D (ks, M). Even if 25 
another user attempts to calculate D (ks', M) using 
a bogus secret decryption key ks', and performs the 
calculations as would a user who has the secret 
decryption key ks, the result obtained is 

30 

E (kp, D (ks\ M) * M, 

and a recipient would understand that the received 
information was illegally prepared. 

When the value D (ks, M) is altered, the result 35 
obtained is 



E (kp, D(ks, M)') * M, 

and a recipient would understand that the received 40 

information was illegally prepared. 

In the above described encryption method, 
operation E Q, for which the public encryption key 
(hereinafter also referred to as a public key) kp is 
used, is called "encryption," and operation D Q. for 45 
which the secret decryption key (hereinafter also 
referred to as a secret key) ks is used, is called 
"decryption." 

Therefore, for a secret communication a 
sender performs the encryption and a recipient per- so 
forms the decryption, while for an authenticated 
communication, a sender performs the decryption 
and a recipient performs the encryption. 

[001 3] The protocols shown below are for a secret 55 
communication, an authenticated communication, and 
a secret communication for a recipient B bearing a sig- 
nature affixed by a sender A using the public key 



encryption system. 

[0014] The secret key of the sender A is ksA and the 
public key is kpA, and the secret key of the recipient B is 
ksB and the public key is kpB. 

[Secret Communication] 

[001 5] The following procedures are performed for the 
secret transmission of a (plain text) message M by the 
sender A to the recipient B. 

Step 1 : The sender A transmits to the recipient B a 
message C that is obtained by employing the public 
key kpB of the recipient B to encrypt the message 
M as follows: 

C - E (kpB, M). 

Step 2: To obtain the original plain text message M, 
the recipient employs his or her secret key ksB to 
decrypt the received message C as follows: 

M = D (ksB, C). 

[0016] Since the public key kpB of the recipient B is 
openly available to many, unspecified people, users 
other than the sender A can also transmit secret com- 
munications to the recipient B. 

[Authenticated Communication] 

[001 7] For the authenticated transmission of a (plain 
text) message M by the sender A to the recipient B, the 
following procedures are performed. 

Step 1 : The sender A transmits to the recipient B a 
message S that he or she created by employing his 
or her secret key as follows: 

S = D (ksA, M). 



This message S is called a signed message, 
and the operation employed to prepare the signed 
message S is called "signing." 
Step 2: To obtain the original plain text message M, 
the recipient B employs the public key KpA of the 
sender A to convert the signed message S as fol- 
lows: 

M = E (kpA, S). 

If the recipient B ascertains that the message M 
makes sense, he or she verifies that the message 
M was transmitted by the sender A. And since the 
public key kpA of the sender A is available to many, 
unspecified persons, users other than the recipient 
B can also authenticate the signed message S 
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transmitted by the sender A. This authentication is 
called "digital signing/ 

[Secret Communication With Signature] 

5 

[001 8] The following procedures are performed for the 
secret transmission to the recipient B by the sender A of 
a (plain text) message M for which a signature has been 
provided. 

w 

Step 1 : The sender A prepares a signed message S 
by employing his or her secret key ksA to sign the 
message M as follows: 

S = D (ksA, M). 15 

Thereafter, to prepare an encrypted message C 
that is subsequently transmitted to the recipient B, 
the sender A employs the public key kpB of the 
recipient B to encrypt the signed message S as fol- 20 
lows: 

C = E (kpB, S). 

Step 2: To obtain the signed message S the recipi- 25 
ent B employs his or her secret key ksB to decrypt 
the encrypted message C as follows: 

S = D (ksB, C). 

30 

And then, to obtain the original plain text message 
M, the recipient B employs the public key kpA of the 
sender A to convert the signed message S as fol- 
lows: 

35 

M = E (kpA, S). 

When the recipient has ascertained that the mes- 
sage M makes sense, he or she verifies that the 
message M was transmitted by the sender A. 40 

[0019] For a secret communication for which a signa- 
ture has been provided, the order in which the calculat- 
ing functions are performed at the individual steps may 
be inverted, in other words, in the above procedures, 45 

Step 1 : C = E (kpB, D (ksA, M)) 

Step 2: M = E (kpA, D (ksB, C)) 

50 

are performed in this order. However, for such a secret 
communication, the following order may be employed: 

Step 1:C = D (ksA, E (kpB, M)) 

55 

Step 2: M a D (ksB, E (kpA, Q). 
[0020] An explanation will now be given for the oper- 



ating procedures for a conventional electronic water- 
mark system employing the above described public key 
encryption method. 

1) First, a contract d2 concerning the exchange of 
image data g is prepared by a server and a user. 

2) Next, the user generates a random number ID to 
identify himself or herself, and employs this ID to 
generate a unidirectional function f. 

The unidirectional function is one that when 
used for a function y = f(x) , calculating y from x is 
easy, but calculating x from y is difficult. For exam- 
ple, a unique factorization or a discrete logarithm 
for an integer having a number of digits is frequently 
employed as a unidirectional function. 

3) Then, the user prepares signature information d3 
using his or her secret key ksU, and transmits it with 
the contract d2 and the unidirectional function f to 
the server. 

4) Following this, the server verifies the signature 
information d3 and the contract d2 using the public 
key kpU of the user. 

5) After the verification has been completed, the 
server embeds in the image data g a current data 
distribution record d4 and the random number ID 
prepared by the user, and generates image data 
which includes an electronic watermark 

(g + d4+ID). 

6) Finally, the server transmits to the user the image 
data that includes the electronic watermark 
(g + d4 + ID). 

[0021] When an illegal copy of data is found, embed- 
ded information is extracted from the illegal image data, 
and a specific user is identified using the ID included 
therein. At this time, a claim by the server that it did not 
distribute the illegal copy without permission is based 
on the following grounds. 

[0022] Since the ID used to specify a user is gener- 
ated by the user, and since by using that ID the signa- 
ture of the user is provided for the unidirectional function 
f, the server can not generate such an ID for an arbitrary 
user. 

[0023] However, since a user who has officially con- 
cluded a contract with the server must transmit his or 
her ID to the server, only users who have not made con- 
tracts with the server can not be accused of committing 
a crime, whereas a user who has officially concluded a 
contract can be so accused. 

[0024] Therefore, a system (Fig. 3) has been pro- 
posed for neutralizing an accusation that a crime has 
been committed by a user who has officially concluded 
a contract. 

[0025] This system is implemented by dividing the 
server into an original image server and an embedding 
server. According to this system, the embedded elec- 
tronic watermark is not destroyed during encryption and 
decryption. 
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[0026] The operating procedures for the system in Fig. 
3 will now be described. 

1) First, to obtain desired image data a user issues 
a request bearing his or her signature d5 to an orig- 
inal image server. 

2) The original image server employs the user's sig- 
nature d5 to verify the contents of the request, and 
subsequently encrypts the requested image data g 
and transmits the encrypted data to an embedding 
server. 

At this time, the original image server transmits 
to the embedding server the image data g accom- 
panied by a signature for a user name u and for 
consignment contents d6. The original image 
server also transmits to the user a decryption func- 
tion f that is related to the encryption. 

3) The embedding server verifies the received 
encrypted image data g' and the signature (u + d6), 
employs the user name u and the consignment 
contents d6 to prepare and embed user information 
d7 for specifically identifying a user, and thereby 
creates encrypted data (g' + 67) having an elec- 
tronic watermark Then, the embedding server 
transmits to the user the encrypted image data (g' + 
67) that includes the electronic watermark. 

4) The user employs the decryption function f. 
which was received from the original image server, 
to decrypt the encrypted image data that includes 
an electronic watermark, (g' + 67), and to obtain the 
image data provided with the electronic watermark, 

(g + <*7). 

[0027] When an illegal copy is found later, the original 
image server encrypts the illegal image data and 
extracts the embedded information, and transmits it to 
the embedding server. The embedding server specifi- 
cally identifies a user from the embedded information. 
[0028] In this system, since an original image server 
does not embed in the image data g the user informa- 
tion d7 specifically identifying a user, and since the 
embedding server does not know the decryption func- 
tion f (and can not retrieve the original image), the indi- 
vidual server can not illegally distribute to officially 
contracted servers image data in which is embedded 
the user information d7. 

[0029] However, neither the collusion of the original 
image server and the embedding server, nor the collu- 
sion of the embedding server and a user is taken into 
account in the system in Fig. 3. Since the embedding 
server holds the encrypted image data g' for the image 
data g, which are the original image data, and the user 
holds the decryption function f, when the original image 
server is in collusion with the embedding server, the 
servers, as in the system in Fig. 2, can perform an illegal 
act. And when the embedding server is in collusion with 
the user, the original image (image data g) can be ille- 
gally obtained. 



[0030] The original image server transmits the decryp- 
tion function f to the user; however, if the user does not 
provide adequate management control for the decryp- 
tion function f , the carelessness of the user will result in 

5 the embedding server obtaining knowledge of the 
decryption function f\ even though the embedding 
server is not in collusion with the user. 
[0031] Furthermore, in the system in Fig. 3 the original 
image server does not include embedding means, nor 

10 can it correctly perform embedding. However, since the 
embedded information is extracted by the original image 
server, the original image server could correctly perform 
the embedding by analyzing the embedded information. 
[0032] For this reason, since the embedding server 

is does not embed its own signature, the correspondence 
between the embedded information and the user infor- 
mation constitutes the only embedding server secret. 
However, the correspondence between the embedded 
information and the user information is not a random 

20 correspondence involving the use of a database. If the 
embedded information is prepared from the user infor- 
mation according to specific rules, there is a good prob- 
ability that analyzation of the embedded information will 
be possible. 

25 [0033] In this case, as in the system in Fig. 2, the per- 
formance of an illegal act is possible. 
[0034] Furthermore, as is described above, while a 
system comprising a user and a server has been pro- 
posed, though still incomplete, the security available 

30 with a system wherein servers are provided hierarchi- 
cally is not guaranteed. 

[0035] The reason is as follows. For example, for a 
system (hierarchial network 1) shown in Fig. 4 wherein 
a plurality of sales agencies 1 to m are located under a 

35 server, and users 11 to 1n and users ml to mn are 
located under the individual sales agencies, or for a sys- 
tem (hierarchial network 2) shown in Fig. 5 wherein one 
of a plurality of authors 1 to m requests that a sales 
agency that represents him or her sell his or her image 

40 data and the sales agency sells image data authored by 
the pertinent author to many users 1 to n, the participat- 
ing constituents associated with the trade in data 
increase from a server and a user, to a server (or an 
author), an agency and a user, so that the collusion that 

45 may occur in the system wherein there are three partic- 
ipating constituents is more complex than is that in the 
system wherein there are two participating constituents. 
[0036] The system shown in Fig. 3 could be regarded 
as a system comprising a server, an agency and a user. 

50 However, the conventional system is not based on a 
hierarchial system, and servers are provided separately 
in order to prevent an illegal act that may be performed 
by a single server. As is described above, that collusion 
may occur is not taken into account. 

55 [0037] One aspect of the present invention provides 
an electronic watermarking method that accurately pre- 
vents the illegal distribution of data, even if components 
that perform the trading of data are arranged hierarchi- 
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cally, an electronic information distribution system, an 
image fifing apparatus, and a storage medium. 
[0038] According to one aspect of the present inven- 
tion, an electronic watermarking method comprises: 

s 

a first step at which a first entity performs a first 
encryption process for the original data; 
a second step at which a second entity, at the least, 
either manages or distributes the data that are pro- 
vided by the first encryption and embeds an elec- 10 
tronic watermark in the data; and 
a third step at which a third entity performs a sec- 
ond encryption process for the data in which the 
electronic watermark has been embedded. 

15 

[0039] According to one more aspect of the present 
invention, an electronic information distribution system 
that exchanges data across a network at the least com- 
prises: 

20 

a first entity, including first encryption means, for 
performing a first encryption process for the original 
data; 

a second entity, including management distribution 
means for, at the least, either managing or distribut- ss 
ing the data that are provided by the first encryption 
process, and including electronic watermark 
embedding means for embedding an electronic 
watermark in the data; and 

a third entity, including second encryption means so 
for performing a second encryption of the data in 
which an electronic watermark is embedded. 

[0040] According to another aspect of the present 
invention, an electronic watermarking method com- 3s 
prises the steps of : 

employing a plurality of means or entities to perform 
distributed processing for the encryption and for the 
embedding of an electronic watermark; and 40 
employing additional means or entities to examine 
the legality of, at the least, either the encryption 
processing or the processing for embedding an 
electronic watermark that is performed by the plu- 
rality of means or entities. 45 

[0041] These means or entities may, at the least, con- 
sist of three types of means or of entities. 
[0042] According to an additional aspect of the 
present invention, an electronic information distribution so 
system, which exchanges digital data across a network 
system constituted by a plurality of entities, comprises: 

a first entity, including first data encryption means; 

a second entity, including electronic watermark ss 

embedding means, for managing and distributing 

data received from the first entity; 

a third entity, including second encryption means, 



for employing data in which an electronic water- 
mark has been embedded; and 
a fourth entity for examining the legality of, at the 
least, either the encryption processing or the elec- 
tronic watermark embedding process performed by 
the first to the third entities. 

[0043] According to a further aspect of the present 
invention, an electronic information distribution system, 
which exchanges digital data across a network system 
constituted by a plurality of entities, comprises: 

a first entity, including first data encryption means; 
a second entity, including electronic watermark 
embedding means, for managing and distributing 
data received from the first entity; 
a third entity, including electronic watermark 
embedding means and second encryption means, 
for employing data in which an electronic water- 
mark has been embedded; and 
a fourth entity for examining the legality of, at the 
least, either the encryption processing or the elec- 
tronic watermark embedding process performed by 
the first to the third entities. 

[0044] According to one further aspect of the present 
invention, an electronic information distribution system, 
which exchanges digital data across a network system 
constituted by a plurality of entities, comprises: 

a first entity, including electronic watermark embed- 
ding means and first data encryption means; 
a second entity, including electronic watermark 
embedding means, for managing and distributing 
data received from the first entity; 
a third entity, including second encryption means, 
for employing data in which an electronic water- 
mark has been embedded; and 
a fourth entity for examining the legality of, at the 
least, either the encryption processing or the elec- 
tronic watermark embedding process performed by 
the first to the third entities. 

[0045] According to yet one more aspect of the 
present invention, an electronic information distribution 
system, which exchanges digital data across a network 
system constituted by a plurality of entities, comprises: 

a first entity, including electronic watermark embed- 
ding means and first data encryption means; 
a second entity, including, at the least, one of elec- 
tronic watermark embedding means, a first encryp- 
tion means and a second encryption means, for 
managing and distributing data received from the 
first entity; 

a third entity, including electronic watermark 
embedding means and second encryption means, 
for employing data in which an electronic water- 
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mark has been embedded; and 
a fourth entity for examining the legality of, at the 
least, either the encryption processing or the elec- 
tronic watermark embedding process performed by 
the first to the third entities. s 

[0046] According to yet another aspect of the present 
invention, an electronic watermark superimposition 
method comprises the steps of: 

10 

encrypting electronic information and exchanging 
the resultant electronic information; 
embedding electronic watermark information in the 
electronic watermark during the encryption proc- 
ess; and 15 
repeating a plurality of times the processing for 
transmitting the electronic information accompany- 
ing an electronic watermark, 
whereby the electronic information on which the 
electronic watermark information is superimposed 20 
is transmitted by a first entity and delivered via a 
second entity to a third entity. 

[0047] According to yet an additional aspect of the 
present invention, an electronic information distribution 25 
system comprises: 

a first entity in which original electronic information 
is held, including encryption means for encrypting 
the original electronic information and embedding so 
means for embedding an electronic watermark in 
the electronic information provided by the encryp- 
tion process; 

a second entity, including encryption means for 
managing and distributing electronic information 35 
received from the first entity and for encrypting the 
electronic information, and including embedding 
means for embedding electronic watermark infor- 
mation in the electronic information; and 
a third entity, including encryption means for 40 
encrypting electronic information received from the 
second entity, for employing the resultant electronic 
information. 

[0043] According to yet a further aspect of the present 45 
invention, provided is an electronic watermark superim- 
position method, whereby, for the transmission of elec- 
tronic information to a reception entity by a transmission 
entity, the transmission entity repeats the electronic 
watermark processing performed for electronic informa- so 
tion that has been encrypted by the reception entity, so 
that electronic information on which an electronic water- 
mark has been superimposed is, at the least, transmit- 
ted by a first entity via a second entity to a third entity. 
[0049] According to yet one further aspect of the ss 
present invention, an electronic watermark superimpo- 
sition method comprises the steps of: 



12 

a transmission entity performing a first encryption 
process for electronic information; 
a reception entity performing for the resultant elec- 
tronic information a second encryption process that 
differs from the first encryption process, and return- 
ing the obtained electronic information to the trans- 
mission entity; and 

the transmission entity decrypting the electronic 
information for which the first encryption process 
has been performed, and embedding electronic 
watermark information in the electronic information 
that is decrypted, 

whereby by repeating the steps, the electronic infor- 
mation on which the electronic watermark informa- 
tion has been superimposed is, at the least, 
transmitted by a first entity via a second entity to a 
third entity. 

[0050] According to still one more aspect of the 
present invention, an electronic information distribution 
system comprises: 

a first entity, whereat original electronic information 
is held; 

a second entity, for managing and distributing elec- 
tronic information received from the first entity; and 
a third entity, for employing the electronic informa- 
tion received from the second entity, 
wherein for transmission of electronic information 
by a transmission entity to a reception entity, the 
transmission entity repeats the processing for 
embedding an electronic watermark in electronic 
information, so that electronic information in which 
electronic watermark information is embedded is, at 
the least, is transmitted by the first entity via the 
second entity to the third entity. 

[0051 ] According to still another aspect of the present 
invention, an electronic information distribution system 
comprises: 

a first entity, whereat original electronic information 
is held; 

a second entity, for managing and distributing elec- 
tronic information received from the first entity; and 
a third entity, for employing the electronic informa- 
tion received from the second entity, 
wherein a reception entity performs a second 
encryption process for electronic information for 
which a transmission entity has performed a first 
encryption process that differs from the second 
encryption process, and returns the resultant elec- 
tronic information to the transmission entity, 
wherein the transmission entity decrypts electronic 
information for which the first encryption process 
has been performed, and embeds the electronic 
watermark information in the resultant electronic 
information, and 
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wherein by repeating the processing, electronic 
information on which electronic watermark informa- 
tion is superimposed is, at the least, transmitted by 
the first entity via the second entity to the third 
entity. 

[0052] Embodiments of the present invention will now 
be described with reference to the accompanying draw- 
ings, in which: 

Fig, 1 is a diagram for explaining a conventional 
electronic watermark system; 
Fig. 2 is a diagram for explaining a conventional 
electronic watermark system (1) obtained by 
improving the system in Fig. 1 ; 
Fig. 3 is a diagram for explaining a conventional 
electronic watermark system (2) obtained by 
improving the system in Fig. 1 ; 
Fig. 4 is a diagram for explaining a hierarchial sys- 
tem (including a server, agencies and users) 
employing a conventional electronic watermarking 
method; 

Fig. 5 is a diagram for explaining a hierarchial sys- 
tem (including authors, agency and users) employ- 
ing a conventional electronic watermarking method; 
Fig. 6 is a block diagram illustrating the arrange- 
ment of a system according to a first embodiment of 
the present invention; 

Fig. 7 is a flowchart for explaining verification 
processing performed by the system; 
Fig. 8 is a block diagram illustrating the arrange- 
ment of a system according to a second embodi- 
ment of the present invention; 
Fig. 9 is a block diagram illustrating the arrange- 
ment of a system according to a third embodiment 
of the present invention; 

Fig. 10 is a diagram for explaining a general image 
format; 

Fig. 11 is a diagram for explaining image file struc- 
ture (I); 

Fig. 12 is a diagram for explaining image file struc- 
ture (II); 

Fig. 13 is a diagram for explaining attributes that 
describe a method for storing Image data; 
Fig. 14 is a diagram for explaining an example 
image file that is constituted by a plurality of images 
having different resolutions; 
Fig. 15 is a diagram for explaining images on layers 
having different resolutions; 
Fig. 16 is a diagram for explaining tile data for indi- 
vidual image data; 

Fig. 17 is a diagram for explaining an electronic 
watermark system according to a fourth embodi- 
ment of the present invention; 
Fig. 18 is a diagram for explaining an electronic 
watermark system according to a fifth embodiment 
of the present invention; 

Fig. 19 is a diagram for explaining an electronic 



watermark system according to a sixth embodiment 
of the present invention; 

Fig. 20 is a diagram for explaining an electronic 
watermark system according to a seventh embodi- 

s ment of the present invention; 

Fig. 21 is a diagram for explaining an electronic 
watermark system according to an eighth embodi- 
ment of the present invention; 
Fig. 22 is a diagram illustrating a system configura- 

10 tion according to embodiment nine through embod- 
iment twelve; 

Fig. 23 is a block diagram for explaining the ninth 
embodiment; 

Fig. 24 is a block diagram for explaining the tenth 
15 embodiment; 

Fig. 25 is a block diagram for explaining the elev- 
enth embodiment; and 

Fig. 26 is a block diagram for explaining the twelfth 
embodiment. 

20 

(First Embodiment) 

[0053] The present invention is applied, for example, 
for a hierarchial system (a system including multiple 
25 agencies) shown in Fig. 4. 

[0054] Fig. 6 is a schematic diagram illustrating the 
arrangement, for the system in Fig. 4, of a server, one of 
a plurality of agencies, and one of the users that belong 
to the agency. 

30 [0055] A system 100 will be specifically explained 
while referring to Fig. 6. 

[0056] The system 100 is a network system, which is 
constituted by multiple entities (not shown) that include 
a terminal 10 at the server side (a server terminal), a 
35 terminal 40 at the agency side (an agency terminal), 
and a terminal 20 at the user side (a user terminal). The 
individual entities exchange digital data across the net- 
work. 

[0057] The server terminal 10 comprises: a contract 

40 identification unit 11, for receiving data from the user 
terminal 20; an electronic watermark embedding unit 
12, for receiving, for example, image data (digital data) 
G and agency information M; a first encryption unit 13, 
for receiving the output of the electronic watermark 

45 embedding unit 12; a first decryption unit 14, for receiv- 
ing data from the agency terminal 40; an identification 
unit 15, for receiving data from the agency terminal 40; 
and a hash generator 16, for receiving the output of the 
first decryption unit 14. 

so [0058] The outputs of the first encryption unit 1 3 and 
the hash generator 1 6 are transmitted to the agency ter- 
minal 40, and the output of the first decryption unit 1 4 is 
transmitted, via the agency terminal 40, both to the 
hash generator 16 and to the user terminal 20. 

55 [0059] The agency terminal 40 comprises: a contract 
generator 41, for receiving data from the user terminal 
20; an electronic watermark embedding unit 42, for 
receiving the outputs of the contract generator 41 and 
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the first encryption unit 13 of the server terminal 10; a 
third encryption unit 43, for receiving the output of the 
electronic watermark embedding unit 42; a hash gener- 
ator 44, for receiving the output of the third encryption 
unit 43; an identification unit 45, for receiving the output 5 
of the hash generator 44; a third decryption unit 46 and 
an identification unit 47, for receiving data from the user 
terminal 20; and an electronic watermark embedding 
unit 48, for receiving the output of the third decryption 
unit 46. 10 
[0060] The data output by the third encryption unit 43 
are transmitted to the hash generator 44, and also to the 
first decryption unit 14 and the identification unit 15 of 
the server terminal 10. The data output by the hash 
generator 1 6 of the server terminal 1 0 are also transmit- is 
ted to the identification unit 45, and the data output by 
the identification unit 45 are also transmitted to the user 
terminal 20. Further, data from the user terminal 20 are 
transmitted to the electronic watermark embedding unit 
48, and the data output by the electronic watermark 20 
embedding unit 48 are transmitted to the user terminal 
20. 

[0061] The user terminal 20 comprises: a contract 
generator 21 , for transmitting data to the contract identi- 
fication unit 41 of the agency terminal 40; a second 2s 
encryption unit 24 and an identification/signature gener- 
ation unit 28, for receiving data, via the agency terminal 
40, from the first decryption unit 14 of the server termi- 
nal 10; and a hash generator 26, for receiving data from 
the second encryption unit 24; and a second decryption 30 
unit 27, for receiving the output of the electronic water- 
mark embedding unit 48 of the agency terminal 40. 
[0062] The data produced by the secondary decryp- 
tion unit 24 are transmitted to the hash generator 26, 
and to the third decryption unit 46 and the identification ss 
unit 47 of the agency terminal 40. The data produced by 
the hash generator 26 are also output to the identifica- 
tion unit 47 of the agency terminal. The data produced 
by the identification unit 45 of the agency terminal 40 
are transmitted to the identification/signature generation 40 
unit 28. 

[0063] In the above system 1 00, information concern- 
ing the first encryption process, such as the method 
used and a secret key, is only that which is available to 
the server; information concerning the second encryp- 45 
Hon process is only that which is available to the user; 
and information concerning the third encryption process 
is only that which is available to the agency. 
[0064] It should be noted, however, that a property of 
these encryption processes is that regardless of which- so 
ever encryption process is performed first, a message 
can be deciphered by employing the decryption proc- 
ess. 

[0065] Hereinafter, the encryption process is repre- 
sented by "EiO," the decryption process is represented ss 
by "DiO" and the embedding process concerning an 
electronic watermark is represented by 
[0066] Thus, the electronic watermark embedding 



processing performed by the system 100 will be 
explained first. 

[Embedding Process] 
[0067] 

1) First, to obtain desired image data, the user ter- 
minal 20 issues to the agency a request bearing the 
user's signature. The requested data is information 
(user's signature information) that is generated by 
the contract generator 21 and that is hereinafter 
called contract information. 

The agency terminal 40 receives contract infor- 
mation from the user, identifies it and requests that 
the server provide the image data. 

2) The electronic watermark embedding unit 12 of 
the server terminal 10 embeds agency information 
M in the image data G that are requested from the 
agency. 

The first encryption unit 13 performs a first 
encryption process EO for image data (G + M) in 
which the agency information M is embedded by 
the electronic watermark embedding unit 12, and 
transmits the resultant image data to the agency. 

In this fashion, the agency terminal 40 receives 
the first encrypted image data E1(G+ M) . 

3) The contract generator 41 of the agency terminal 
40 generates user information U using the contract 
information for the user. 

The electronic watermark embedding unit 42 
embeds the user information U generated by the 
contract generator 41 in the first encrypted image 
data E1(G + M) received from the server. 

The third encryption unit 43 performs a third 
encryption process E3Q for the first encrypted 
image data E1(G + M) + U , in which the user infor- 
mation U is embedded by the electronic watermark 
embedding unit 42, and transmits the obtained 
image data (third encrypted image data) 
E3(E1(G + M) + U) to the server. 

At the same time, the hash generator 44 gener- 
ates a hash value H1 for the transmission data 
(third encrypted image data) E3(E1(G + M) + U)) , 
signs it, and transmits the obtained hash value H1 
to the server terminal 1 0. 

As a result, the server terminal 10 receives the 
third encrypted image data E3(E1(G + M) + U and 
the hash value H1 , with its signature. 

The hash value is a value obtained by calculat- 
ing the hash function h(), and the hash function is a 
compression function that seldom causes a colli- 
sion. A collision in this case would mean that for the 
different values xl and x2, h(x1) - h(x2) . The com- 
pression function is a function for converting a bit 
string having a specific bit length into a bit string 
having a different bit length. Therefore, the hash 
function is a function hQ by which a bit string having 
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a specific bit length is converted into a bit string 
having a different bit length, and for which values x1 
and x2 that satisfy h(x1) = h(x2) are not easily 
found. Since a value x that satisfies y = h(x) is not 
easily obtained from an arbitrary value y, accord- 5 
ingly, the hash function is a unidirectional function. 
Specific examples for the hash function are an MD 
(Message Digest) 5 or an SHA (Secure Hash Algo- 
rithm). 

4) The identification unit 15 of the server terminal 10 
10 identifies the signature for the hash value H1 
received from the agency terminal 40, and confirms 
that the hash value H1 matches a hash value that is 
generated using the transmission data (third 
encrypted image data E3(E1(G + M) + U)). After 15 
the confirmation process is completed, the identifi- 
cation unit 15 stores the received data. 

The first decryption unit 14 decrypts the first 
encrypted portion of the third encrypted image data 
E3(E1(G + M) + U) received from the agency ter- 20 
minal 40, and transmits the obtained image data to 
the user terminal 20. 

At the same time, the hash generator 1 6 gener- 
ates a hash value H2 for the transmission data 
(E3(G + M + D1(U)) , signs it and transmits the 25 
data to the agency terminal 40. 

Thus, the agency terminal 40 receives data 
E3(G + M + D1(U)) and the hash value H2, with its 
signature. 

5) The identification unit 45 of the agency terminal 30 
40 identifies the signature for the hash value H2 
received from the server terminal 10, and confirms 
that the hash value H2 matches the hash value for 
the transmission data E3(G + M + D1(U)) . After 
the confirmation process is completed, the identrfi- 35 
cation unit 45 stores the received data. 

In addition, the identification unit 45 transmits 
the data received from the server to the user 
unchanged. 

Therefore, the user terminal 20 receives the 40 
data E3(G + M + D1(U)) and the hash value H2, 
with its signature. 

6) The identification/signature generation unit 28 
identifies the signature for the hash value H2 
received from the agency terminal 40, and confirms 45 
that the hash value H2 matches the hash value for 
the transmission data E3(G + M + D1(U)) . After 

the confirmation process is completed, the received 
data are stored. 

In addition, the identification/signature genera- so 
tion unit 28 generates its own signature A for the 
hash value H2, and transmits the hash value H2, 
with the signature, to the server via the agency. 

The identification unit 45 of the agency terminal 
40 and the hash generator 1 6 of the server terminal 55 
10 identify the signature A transmitted by the user, 
and then store it. 

7) The second encryption unit 24 of the user termi- 



nal 20 performs a second encryption process E() 
for the data E3(G + M+ D1(U)) received from the 
agency, and transmits the obtained data to the 
agency. 

At the same time, the hash generator 26 gener- 
ates a hash value H3 for the transmission data 
E2(E3(G + M + D1(U)) , signs it, and transmits the 
hash value H3, with the signature, to the agency. In 
addition, the hash generator 26 generates its own 
certification data S and transmits it to the agency. 

As a result, the agency terminal 40 receives the 
data E2(E3(G + M + D1(U)), the hash value H3, 
with its signature, and the certification information 
S. 

8) The identification unit 47 of the agency terminal 
40 identifies the signature for the hash value H3 
received from the user, and confirms that the hash 
value H3 matches the hash value for the transmis- 
sion data E2(E3(G + M + D1(U))) . After the confir- 
mation process is completed, the received data are 
stored. 

The third decryption unit 46 decrypts the third 
encrypted portion of the data 
E2(E3(G + M + D1 (U))) received from the user. 

The electronic watermark embedding unit 48 
embeds the certification information S in the data 
E2(G + M + D1(U)) that are obtained by the third 
decryption unit 46, and transmits the resultant data 
E2(G + M + D1 (U)) + S to the user. 

The hash generator 49 generates a hash value 
H4 for the data E2(G+ M + D1(U)) , and signs it, 
and transmits the resultant hash value H4 to the 
user. 

In this fashion, the user terminal 20 receives 
the data E2(G + M + D1 (U)) + S . 

9) The identification unit 29 of the user terminal 20 
identifies the signature for the hash value H4 
received from the agency, and confirms that the 
hash value H4 matches the hash value for the 
transmission data E2(G + M + D1(U)) . After the 
confirmation process is completed, the received 
data are stored. The second decryption unit 27 
decrypts the second encrypted portion of the data 
E2(G + M + D1 (U)) + S , and extracts and outputs, 
with an electronic watermark, image data G w 

The image data G w is represented as 

G W = G + M + D1(U) + D2(S). 

This indicates that the agency information M, the first 
encrypted user information (electronic watermark infor- 
mation) U and the second encrypted signature informa- 
tion S are embedded in the original image data. 

As is described above, since the agency is in 
charge of embedding the signature information S 
for the user, basically the user can not perform an 
illegal act. While the agency embeds the user infor- 
mation U and the signature information S for the 
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user, the user information U is affected by the first 
encryption, which only the server knows, and the 
signature information is affected by the second 
encryption, which only the user knows. Therefore, 
the agency can not embed D1(U + D2(S)) directly 5 
in the original image data G. 

When iliega! copy (an illegal image) is found, 
an illegal user is specified by performing the 
processing shown in Fig. 2 (hereinafter this process 
is referred to as a verification process). In this 10 
embodiment, however, it is noted that image data 
are not affected by the modification or the deletion 
of electronic watermark information. 

[Verification Process] w 

[0068] 

1) First, the server terminal 10 extracts agency 
information M' from the illegal image G w * that was 20 
found (step S101). 

When the agency information M* is not 
extracted, it is ascertained that the server (or the 
author) has committed an illegal act (step S102). 
This is so because the server side embedded the 25 
agency information NT in the image data. 

2) When at 1) the correct agency information M is 
extracted (M' = M), the server submits to the verifi- 
cation office 30 the illegal image data G^' and the 
first encryption key, and requests the first encryp- 30 
tion of the illegal image data (step 3103) and 

the extraction of the user information U' (step 
S104). 

When the correct user information IT is 
extracted (IT = U ), program control advances to 8) ss 
which will be described later. 

3) When at 2) the correct user information is not 
extracted, the verification office 30 requests from 
the server the stored data E3(E1 (G + M) + U) , and 
the hash value H1, with its signature. The verifica- 40 
tion office 30 then identifies the hash value H1 and 

the signature. Thereafter, the verification office 30 
decrypts the first encrypted portion of the data 
E3(E1(G + M) + U) , generates its hash value, and 
confirms that the hash value matches the hash 45 
value H2 stored by the agency. At the same time, 
the verification office 30 examines the signature 
provided for the hash value H2 (step S105). 

4) When at 3) the hash value generated by the ver- 
ification office 30 does not match the hash value H2 so 
stored by the agency, the verification office 30 
ascertains that the server committed an illegal act 
(step S106). 

This means that the first encryption key submit- 
ted by the server is not correct. 55 

5) When at 3) the hash value generated by the ver- 
ification office 30 matches the hash value H2 stored 
by the agency, the verification office 30 requests 



that the agency submit the third encryption key, 
decrypts the third encrypted portion of the data 
E3(E1(G + M) + U) stored by the server, and from 
the obtained data extracts the user information U' 
(step SI 07). 

6) When at 5) the correct user information U' is 
extracted (IT = U ), the verification office 30 ascer- 
tains that the server committed an illegal act (step 

5108) . 

This indicates that the user information IT has 
been correctly embedded in the image data. In 
addition, since through the verification process as 
performed up to 5) it is determined that the first 
encrypted portion for the illegal image data is 
correct and the user information U' is illegal, it is 
apparent that only the server that knows the first 
encryption key could generate the illegal image 
data G w \ 

7) When at 5) the correct user information U' is not 
extracted, the verification information 30 ascertains 
that the agency committed an illegal act (step 

5109) . 

This indicates, that the correct user information 
IT was not embedded in the image data during the 
embedding process, and the agency was in charge 
of embedding the user information. 

8) When at 2) the correct user information IT is 
extracted (LT = U), the verification office 30 requests 
that the server and the agency submit the stored 
hash value H2 and a signature A' provided by the 
user for the hash value H2, and identifies the signa- 
ture A' (step S110). 

9) When at 8) the correct signature A' is not identi- 
fied (not submitted), the verification office 30 ascer- 
tains that the server and the agency colluded in an 
illegal act (step S1 11). 

This indicates that the server and the agency 
colluded in the counterfeiting of data 
G + M + D1 (IT) , which represents an arbitrary user 
(user information LT). 

10) When at 8) the correct signature A' is identified 
(A' = A), the verification office 30 requests that the 
user submit the second encryption key, and per- 
forms the second encryption for the illegal image 
data G w ' (step S112). Then, the signature informa- 
tion S' is extracted (step S113). 

11) When at 10) the correct signature information S' 
is extracted (S' = S), the verification office 20 
ascertains that an illegal act was committed by the 
user (step S114). 

This is because the process for performing the 
second encryption process and for extracting the 
signature information S' can be performed only by 
the user. 

12) When at 10) the correct signature information S' 
is not extracted, the verification office 30 requests 
that the user submit the stored image 
E3(G + M + D1(U)) ( the hash value H3, with its 
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signature, and identifies the hash value H3 and the 
signature. Then, the verification office 30 performs 
the second encryption process for the data 
E3(G + M + D1(U)) , and generates a hash value 
for the data in order to ascertain whether rt matches 5 
the hash value H3. At the same time, the verifica- 
tion office 30 also examines the signature for the 
hash value H3 (step Si 15). 

13) When at 12) the hash value generated by the 
verification office 30 does not match the hash value 
H3 stored by the user, the verification office 30 
ascertains an illegal act was committed by the user 
(step S1 16). 

This is because the second encryption key 
submitted by the user is not correct. 

14) When at 12) the hash value generated by the 
verification office 30 matches the hash value H3 
stored by the user, the verification office 30 ascer- 
tains an illegal act was committed by the agency 
(step S1 17). 

This is because the agency did not embed the 
correct signature information S in the image data 
during the embedding process. 

[0069] As is described above, according to the first 
embodiment, the verification office is not necessary 
until an illegal image is found, and any illegal act can not 
be determined to have been performed before an illegal 
image is found. In addition, so long as the above 
described verification processing is well known, and the 
server, the agency and the user monitor the results of 
that processing, an illegal act by them can be specified 
in accordance with the situation, even without the verifi- 
cation office 30 being involved. 

(Second Embodiment) 

[0070] The present invention is. for example, applied 
for a hierarchial system (a system including one 
agency) shown in Fig. 5. 

[0071] Fig. 8 is a schematic diagram illustrating the 
arrangement, for the system in Fig. 5, of one of a plural- 
ity of authors (or servers), an agency, and an arbitrary 
user, one of a plurality of users. 

[0072] A system 200 will be specifically explained 
while referring to Fig. 8. 

[0073] The system 200 has the same structure as the 
system 100 in Fig. 6, except for the following. 

1) An electronic watermark embedding unit 12 is 
not provided in a server terminal 10, and only 
image data G are transmitted to a first encryption 
unit 13. 

2) A hash generator 49 for receiving the output of 
an electronic watermark embedding unit 48 is fur- 
ther provided for an agency terminal 40. The data 
produced by the hash generator 49 are transmitted 
to a user terminal 20. 



3) An identification unit 29 is additionally provided 
for the user terminal 20 and receives the outputs of 
the electronic watermark embedding unit 48 and 
the hash generator in the agency terminal 40. 

[0074] As is described above, the system 200 is so 
designed that the embedding of agency information M 
representing an agency is omitted. 
[0075] First, an explanation will be given for the elec- 
tronic watermark embedding processing performed by 
the system 200. 

[0076] The same reference numerals as are used for 
the system 100 in Fig. 6 are also used to denote corre- 
sponding components in the system 200 in Fig. 8, and 
no detailed explanation for them will be given. 

[Embedding Process] 

[0077] 

1) First, to obtain image data (contract information), 
the user terminal 20 issues to the agency a request 
bearing the user's signature. 

The agency terminal 40 receives contract infor- 
mation from the user, identifies it and requests that 
the server provide the image data. 

2) In the server terminal 10, the first encryption unit 
13 performs a first encryption process E1 for image 
data G, and transmits the resultant image data to 
the agency. 

In this fashion, the agency terminal 40 receives 
the first encrypted image data E1(G). 

3) The contract generator 41 of the agency terminal 
40 generates user information U using the contract 
information for the user. 

The electronic watermark embedding unit 42 
embeds the user information U generated by the 
contract generator 41 in the first encrypted image 
data E1(G) received from the server. 

The third encryption unit 43 performs a third 
encryption process E3 for the first encrypted image 
data E1(G) + U , in which the user information U is 
embedded by the electronic watermark embedding 
unit 42, and transmits the obtained image data 
(third encrypted image data) E3(E1(G) + U) to the 
server. 

At the same time, the hash generator 44 gener- 
ates a hash value H1 for the transmission data 
(third encrypted image data) E3(E1(G) + U)) , signs 
it, and transmits the obtained hash value H1 to the 
server terminal 10. 

As a result, the server terminal 10 receives the 
third encrypted image data E3(E1(G) + U) and the 
hash value H1, with its signature. 

4) The identification unit 15 of the server terminal 
10 identifies the signature for the hash value H1 
received from the agency terminal 40, and confirms 
that the hash value H1 matches a hash value that is 
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generated using the transmission data (third 
encrypted image data E3(E1(G) + U)) . After the 
confirmation process is completed, the identifica- 
tion unit 15 stores the received data. 

The first decryption unit 14 decrypts the first s 
encrypted portion of the third encrypted image data 
E3(E1(G) + U) received from the agency terminal 
40, and transmits the obtained image data to the 
user terminal 20. 

At the same time, the hash generator 1 6 gener- w 
ates a hash value H2 for the transmission data 
(E3(G + D1(U)) , signs it, and transmits the data to 
the agency terminal 40. 

Thus, the agency terminal 40 receives data 
E3(G + D1(U)) and the hash value H2, with its sig- rs 
nature. 

5) The identification unit 45 of the agency terminal 
40 identifies the signature for the hash value H2 
received from the server terminal 10, and confirms 
that the hash value H2 matches the hash value for 20 
the transmission data E3(G + D1(U)) . After the 
confirmation process is completed, the identifica- 
tion unit 45 stores the received data. 

in addition, the identification unit 45 transmits 
the data received from the server to the user 2s 
unchanged. 

Therefore, the user terminal 20 receives the 
data E3(G + D1 (U)) and the hash value H2, with its 
signature. 

6) The identification/signature generation unit 28 30 
identifies the signature for the hash value H2 
received from the agency terminal 40, and confirms 
that the hash value H2 matches the hash value for 
the transmission data E3(G + D1(U)) . After the 
confirmation process is completed, the received 35 
data are stored. 

In addition, the identification/signature genera- 
tion unit 28 generates its own signature A for the 
hash value H2, and transmits the hash value H2, 
with the signature, to the server via the agency. 40 

The identification unit 45 of the agency terminal 
40 and the hash generator 16 of the server terminal 
10 identify the signature A transmitted by the user, 
and then store it. 

7) The second encryption unit 24 of the user termi- 45 
nal 20 performs a second encryption process EQ 

for the data E3(G + D1(U)) received from the 
agency, and transmits the obtained data to the 
agency. 

At the same time, the hash generator 26 gener- 50 
ates a hash value H3 for the transmission data 
E2(E3(G + D1 (U)) , signs it, and transmits the hash 
value H3, with the signature, to the agency. In addi- 
tion, the hash generator 26 generates its own certi- 
fication data S and transmits it to the agency. ss 

As a result, the agency terminal 40 receives the 
data E2(E3(G + D1(U)) , the hash value H3, with its 
signature, and the certification information S. 



8) The identification unit 47 of the agency terminal 
40 identifies the signature for the hash value H3 
received from the user, and confirms that the hash 
value H3 matches the hash value for the transmis- 
sion data E2(E3(G + D1(U))) . After the confirma- 
tion process is completed, the received data are 
stored. 

The third decryption unit 46 decrypts the third 
encrypted portion of the data E2(E3(G + D1(U))) 
received from the user. 

The electronic watermark embedding unit 48 
embeds the certification information S in the data 
E2(G + D1(U)) that are obtained by the third 
decryption unit 46, and transmits the resultant data 
E2(G + D1(U)) + S to the user. 

In this fashion, the user terminal 20 receives 
the data E2(G + D1(U)) + S . 

9) In the user terminal 20, the second decryption 
unit 27 decrypts the second encrypted portion of 
the data E2(G + D1(U)) + S , and extracts and out- 
puts, with an electronic watermark, image data 

The image data G w is represented as 

G W = G + D1(U) + D2(S). 

This indicates that the first encrypted user information 
(electronic watermark information) U and the second 
encrypted signature information S are embedded in the 
original image data. 

[0078] As is described above, since the agency is in 
charge of embedding the signature information S for the 
user, basically the user can not perform an illegal act. 
While the agency embeds the user information U and 
the signature information S for the user, the user infor- 
mation U is affected by the first encryption, which only 
the server knows, and the signature information is 
affected by the second encryption, which only the user 
knows. Therefore, the agency can not embed 
D1(U + D2(S)) directly in the original image data G. 
[0079] When an illegal copy (illegal image) is found, 
an agency that committed an illegal act can be specified 
by performing the following verification processing, with- 
out using the above described agency information M. It 
should be noted that image data are not affected by the 
modification and the deletion of an electronic water- 
mark. 

[Verification Process] 
[0080] 

1) First, the server submits to the verification office 
30 a first encryption key that is obtained from illegal 
image data G w ' that have been discovered, and 
requests a first encryption of the illegal image data 
G w ' and the extraction of user information U\ 

When the correct user information IT is 
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extracted (IT = U), program control advances to 7) 
which will be discussed later. 

2) When at 1) the conect user information is not 
extracted, the verification office 30 requests from 
the server the stored data E3(E1(G) + U) , and the 5 
hash value H1 , with its signature. The verification 
office 30 then identifies the hash value H1 and the 
signature. Thereafter, the verification office 30 
decrypts the first encrypted portion of the data 
E3(E1(G) + U) , generates its hash value, and con- 10 
firms that the hash value matches the hash value 

H2 stored by the agency. At the same time, the ver- 
ification office 30 examines the signature provided 
for the hash value H2. 

3) When at 2) the hash value generated by the ver- is 
ification office 30 does not match the hash value H2 
stored by the agency, the verification office 30 
ascertains that the server committed an illegal act 

This means that the first encryption key submit- 
ted by the server is not correct. 20 

4) When at 2) the hash value generated by the ver- 
ification office 30 matches the hash value H2 stored 
by the agency, the verification office 30 requests 
that the agency submit the third encryption key, 
decrypts the third encrypted portion of the data 25 
E3(E1(G) + U) stored by the server, and from the 
obtained data extracts the user information U\ 

5) When at 4) the correct user information IT is 
extracted (LP = U), the verification office 30 ascer- 
tains that the server committed an illegal act. so 

This indicates that the user information LT has 
been correctly embedded in the image data, in 
addition, since through the verification process as 
performed up to 4) it is determined that the first 
encrypted portion for the illegal image data G w * is 35 
correct and the user information U' is illegal, it is 
apparent that only the server that knows the first 
encryption key could generate the illegal image 
data G w \ 

6) When at 4) the correct user information LT is not 40 
extracted, the verification information 30 ascertains 
that the agency committed an illegal act. 

This indicates, that the correct user information 
IT was not embedded in the image data during the 
embedding process, and the agency was in charge 45 
of embedding the user information. 

7) When at 1) the correct user information IT is 
extracted (IT = U), the verification office 30 
requests that the server and the agency submit the 
stored hash value H2 and a signature A' provided so 
by the user for the hash value H2, and identifies the 
signature A'. 

8) When at 7) the correct signature A' is not identi- 
fied (not submitted), the verification office 30 ascer- 
tains that the server and the agency colluded in an 55 
illegal act. 

This indicates that the server and the agency 
colluded in the counterfeiting of data G + D1(U') , 



which represents an arbitrary user (user informa- 
tion U'). 

9) When at 7) the correct signature A* is identified 
(A' = A), the verification office 30 requests that the 
user submit the second encryption key, and per- 
forms the second encryption for the illegal image 
data Gw'. Then, the signature information S* is 
extracted. 

10) When at 9) the correct signature information S* 
is extracted (S 1 « S), the verification office 20 
ascertains that an illegal act was committed by the 

user. 

This is because the process for performing the 
second encryption process and for extracting the 
signature information S' can be performed only by 
the user. 

11) When at 9) the correct signature information S* 
is not extracted, the verification office 30 requests 
that the user submit the stored image 
E3(G + D1(U)) , the hash value H3, with its signa- 
ture, and identifies the hash value H3 and the sig- 
nature. Then, the verification office 30 performs the 
second encryption process for the data 
E3(G + D1(U)) , and generates a hash value for the 
data in order to ascertain whether it matches the 
hash value H3. At the same time, the verification 
office 30 also examines the signature for the hash 
value H3. 

12) When at 11) the hash value generated by the 
verification office 30 does not match the hash value 
H3 stored by the user, the vesication office 30 
ascertains an illegal act was committed by the user. 

This is because the second encryption key 
submitted by the user is not correct 

13) When at 11) the hash value generated by the 
verification office 30 matches the hash value H3 
stored by the user, the verification office 30 ascer- 
tains an illegal act was committed by the agency. 

This is because the agency did not embed the 
correct signature information S in the image data 
during the embedding process. 

[0081 ] As is described above, according to the second 
embodiment, the verification office is not necessary 
until an illegal image is found, and any illegal act can not 
be determined to have been performed before an illegal 
image is found. In addition, so long as the above 
described verification processing is well known, and the 
server, the agency and the user monitor the results of 
that processing, an illegal act by them can be specified 
in accordance with the situation, even without the verifi- 
cation office 30 being involved. 

(Third Embodiment) 

[0082] Recently, the transfer of money across net- 
works, a fund transfer procedure that is called electronic 
cash, has come to be employed. Since as with a regular 
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cash payment, the name of the owner of an electronic 
cash transfer is not identified, anonymity is attained. If 
the attainment of anonymity were not possible, a seller 
of a product could obtain from an electronic cash trans- 
fer information concerning a purchaser and the use of 5 
its product, and the privacy of a user would not be pro- 
tected. Therefore, the protection of the privacy of a user 
is as important as is the protection provided for a copy- 
right granted to a creator who uses an electronic water- 
mark. 

[0083] in a third embodiment, therefore, the anonymity 
of a user is provided for a purchaser, and when an ille- 
gal act, such as the illegal distribution of images, is dis- 
covered, it is possible to identify an unauthorized 
distributor, which is the original purpose of an electronic 
watermark. This is achieved by employing, for example, 
a system 300 shown in Fig. 9. 

[0084] The system 300 has the same structure as has 
the system 200 in Fig. 8, while an anonymous public key 
certificate, which is issued by a certification office 50, is 
provided for a user terminal 20. 

[0085] Generally, in order to authenticate signature 
information, a certificate issued by an organization 
called a certification office is added to a public key that 
is used when examining the signature information. 
[0086] A certification office is an organization that 
issues certificates for public keys assigned to users to 
provide public key authentication that is consonant with 
the requirements of the public key encryption system. 
That is, a certification office employs its own secret key 
to provide a signature for a user's public key, or for data 
concerning the user, and for this purpose prepares and 
issues a certificate. When a user receives from another 
user a signature that is accompanied by a certificate, 
the user examines the certificate using the public key of 
the certification office to verify the authentication pro- 
vided by the user who transmitted the public key (or, at 
the least, the fact that authentication has been provided 
the user by the certification office). Both VeriSign and 
CyberTrust are well known organizations that operate 
such certification offices. 

[0087] When at procedure 1) of the embedding proc- 
ess in the second embodiment an agency examines a 
signature to verify the contract information submitted for 
a user, the agency can employ the public key with a sig- 
nature issued by a certification office. 
[0088] However, since the name of the owner of the 
public key is generally written in the certificate, user 
anonymity is not provided at the time data are pur- 
chased. 

[0089] On the other hand, if the certification office 
keeps secret the correspondence of public keys and 
their owners, the name of an owner may not be written 
in a certificate issued for a public key. A public key for 
which such a certificate is provided is called an "anony- 
mous public key with a certificate." 
[0090] In procedure 1 ) of the above described embed- 
ding process, when a user transmits to a server not only 



contract information but also a signature for the contract 
information and an anonymous public key, accompa- 
nied by a certificate, to enable the examination of the 
signature information S, the user can remain anony- 
mous when purchasing digital data. Therefore, the 
anonymous public key, accompanied by the certificate, 
is transmitted to the agency as information to be used 
for user verification. And when an illegal transaction is 
discovered and the user must be identified, the anony- 
mous public key, accompanied by the certificate, is 
transmitted to the certification office 50 with a request 
for the user name which corresponds to that of the 
owner of the public key. 

[0091] Therefore, when procedure 1) in the embed- 
ding process and procedure 7) in the verification proc- 
ess in the second embodiment are performed as 
follows, the anonymity of a user when purchasing digital 
data can be maintained, but when an illegal transaction 
is discovered, the user responsible for the perpetration 
of the transaction can be identified. 
[0092] The embedding process and the verification 
process performed by the system 300 in Fig. 9 will be 
specifically described. 

[0093] The same reference numerals as are used in 
the system 200 in Fig. 8 are also used to denote corre- 
sponding components of the system 300 in Fig. 9, and 
no detailed explanation for them will be given. Only the 
differing portions will be specifically explained. 
[0094] Since the procedures, other than procedure 1 ) 
in the embedding process and procedure 1) in the veri- 
fication process, are the same as those in the second 
embodiment, no detailed explanation of them will be 
given. 

[Embedding Process] 
[0095] 

1') First, in the user terminal 20, a contract genera- 
tor 21 provides, for contract information for request- 
ing desired image data, a signature that 
corresponds to an anonymous public key, accom- 
panied by a certificate issued by the certification 
office 50. Together with the anonymous public key, 
accompanied by the certificate, contract informa- 
tion is transmitted to the agency by the user. 

[0096] The agency terminal 40 identifies the received 
contract information by using the anonymous public key, 
accompanied by the certificate, and issues a request for 
the image data to the server. 

[0097] Hereinafter, procedures 2) to 9) of the embed- 
ding process in the second embodiment are preformed. 
[0098] In this case, the user basically can not perform 
any illegal act, and the agency can not embed 
D1(U + D2(S)) directly in the original image data. 
[0099] When an illegal copy (illegal image) is found, 
the following verification process is performed. 
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[Verification Process] 
[0100] 

1) to 6) First, procedures 1) to 6) of the verification s 
process in the second embodiment are performed. 
7*) When in procedure 1) correct user information U' 
is extracted (LT = U), a verification office 30 sub- 
mits to the certification office 50 the user informa- 
tion IT and the anonymous public key, 10 
accompanied by the certificate that is extracted 
from the contract information. The verification office 
30 requests from the certification office 50 the iden- 
tity of the user whose name corresponds to that of 
the owner of the anonymous public key. The verifi- is 
cation office 30 also requests that the server and 
the agency submit a stored hash value H2 and a 
signature A', for the hash value H2 provided by the 
user, and identifies the signature A'. 

20 

[0101] Hereinafter, procedures 8) to 13) in the verifi- 
cation process in the second embodiment are per- 
formed. 

[0102] As is described above, according to the third 
embodiment, as well as the second embodiment, there 25 
is no need for the verification office 30 until an illegal 
image has been discovered, and no illegal act can be 
performed until an illegal image is discovered. In addi- 
tion, so long as the above described verification 
processing is well known, and the server, the agency 30 
and the user monitor the results of that processing, an 
illegal act committed by any of them can be identified in 
accordance with the situation, even without the interces- 
sion of the verification office 30. 

[0103] In the third embodiment, a certification office ss 
50 is additionally provided for the system 200 in the sec- 
ond embodiment. However, the modification of the sys- 
tem arrangement is not thus limited, and a certification 
office 50 may be provided for the system 100 in the first 
embodiment. In this case, procedure 1) in the embed- 40 
ding process in the first embodiment corresponds to 
procedure V) for the third embodiment, and procedure 
8) in the verification process in the first embodiment cor- 
responds to procedure 7) for the third embodiment. 
[0104] Various data, to include image data in the first 45 
to the third embodiments and hash values obtained dur- 
ing the embedding process for electronic watermark 
information, can be stored using the following image for- 
mat. 

[0105] According to the following general image for- 50 
mat, for example, image data that are transmitted at 
individual steps can be stored in an image data portion, 
and a corresponding hash value and its signature can 
be stored in an image header portion. Furthermore, a 
hash value and its accompanying signature, which the 55 
user must retain, and the second encryption key can be 
stored in the image header portion, while image data 
having an electronic watermark can be stored in the 



image data portion. 

[01 06] According to the following FlashPixTTvl file for- 
mat, the general image format, which includes the hash 
value and the signature, can be stored as data in each 
layer. And the hash value and the signature may be 
stored as attribute information in a property set. 

[Explanation For General Image Format] 

[0107] According to the general image format, an 
image file is divided into an image header portion and 
an image data portion, as is shown in Fig. 10. 
[0108] Generally, stored in the image header portion 
are information that is required for reading image data 
from an image file, and additional information for 
explaining the contents of an image. In the example in 
Fig. 10 are stored an image format identifier describing 
the name of an image format, a file size, the width, 
height and depth of an image, information as to whether 
data are compressed or not, a resolution, an offset to an 
image data storage location, the size of a color palette, 
etc. Image data are sequentially stored in the image 
data portion. 

[0109] Typical examples of such image formats are 
Microsoft's BMP format and CompuServe's GIF format. 

[Explanation of File Format] 

[01 10] According to the following file format, attribute 
information stored in the image header portion, and the 
image data stored in the image data portion are rear- 
ranged to more closely correspond to a structure and 
are stored in the file. A structured image file is shown in 
Figs. 1 1 and 12. 

[0111] The individual properties and the data in the file 
are accessed as storage areas and streams that corre- 
spond to the directories and files of MS-DOS. 
[0112] In Figs. 11 and 12, the shaded portions are 
storage areas and the unshaded portions are streams. 
Image data and image attribute information are stored 
in the streams. 

[01 1 3] In Fig. 1 1 , the image data are arranged hierar- 
chically in accordance with their differing resolutions, 
with one image for each resolution being called a 
Subimage and being represented by a Resolution 0, 1 , 
. . ., or n. For one image for each resolution, the informa- 
tion that is required for reading the image data is stored 
in a Subimage Header area, and the image data are 
stored in a Subimage data area. 
[0114] The property sets, which are composed of 
attribute information that is defined by sorting it in con- 
sonance with the purpose of its use and with its con- 
tents, comprise Summary Info. Property Sets, Image 
Info. Property Sets, Image Content Property Sets and 
Extension List Property Sets. 
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[Explanation for Each Property Set] 

[0115] A Summary Info. Property Set is not an inher- 
ent part of this file format, but is required for the storage 
of the title, the name, an the author of a file, and a 
thumb-nail image. 

[0116] General information concerning a storage unit 
(Storage) is stored in the Com Obj. Stream. 
[0117] An Image Content Property Set is an attribute 
for describing a storage method used for image data 
(see Fig. 13). For this attribute there are provided the 
count of the layers of image data, the width and height 
of an image at its maximum resolution, the width, the 
height and the color of an image at each resolution, and 
the definition of a quantization table or a Huffman table 
used for JPEG compression. 

[0118] An Extension List Property Set is an area used 
to add information that is not included in the basic spec- 
ification for the above file format. 
[0119] In an ICC Profile area is described a specified 
ICC (International Color Consortium) conversion profile 
for spatial color conversion. 

[0120] In an Image Info. Property Set are stored vari- 
ous types of information that can be utilized to employ 
image data. For example, the following types of informa- 
tion describe how an image is fetched and how it can be 
used: 

* information concerning a fetching method or a gen- 
eration method for digital data; 

information concerning a copyright; 

information concerning the contents of an image (a 

person or the scenery in an image); 

information concerning a camera used to take a 

photograph; 

* information concerning the setup used for a camera 
(exposure, shutter speed, focal distance, whether a 
flash was used, etc.); 

information concerning a resolution unique to a dig- 
ital camera and a mosaic filter; 
information concerning the name of the maker of 
the film, and the name and the type (negative/posi- 
tive, or color/monochrome) of the film; 
information concerning the type and the size when 
the original is a book or other printed matter; and 
information concerning a scanner and a software 
application that was used to scan an image, and the 
operator. 

[0121] In Fig. 12 is shown an image file in which a 
viewing parameter, which is used for displaying an 
image, and image data are stored together. The viewing 
parameter is a set of coefficients that are stored for use 
when adjusting the rotation, the enlargement/reduction, 
the shifting, the color conversion and the filtering 
processing for an image when it is displayed. 
[0122] In Fig. 12, in a Global Info. Property Set area, 
is written a list of locked attributes, for example, an index 



for a maximum image an index for the most altered item, 
and information concerning the person who made the 
last correction. 

[01 23] Furthermore, a Source/Result FlashPix Image 
s Object constitutes the substance of the image data, but 
whereas a Source FlashPix Image Object is required, a 
Result FlashPix Image Object is optional. Original 
image data are stored in the Source FlashPix Image 
Object area, and image data obtained by image 
10 processing using the viewing parameter are stored in 
the Result FlashPix Image Object area. 
[01 24] Source/Result Desc. Property Set is a property 
set used to identify the above image data. An image ID, 
a property set for which changes are inhibited, and the 
is date and the time of the last update are stored in this 
area. 

[0125] In a Transform Property Set area are stored an 
affine conversion coefficient used for the rotation, the 
enlargement/reduction and the shifting of an image, a 
20 color conversion matrix, a contrast adjustment value, 
and a filtering coefficient. 

[Explanation Of How To Handle Image Data] 

25 [01 26] Employed for this explanation is an image for- 
mat that includes a plurality of images having different 
resolutions that are obtained by dividing an image into a 
plurality of tiles. 

[0127] In Fig. 14 is shown an example image file that 

so is constituted by a plurality of images having different 
resolutions. In Fig. 14, an image having the highest res- 
olution consists of X0 columns x Y0 rows, and an image 
having the next highest resolution consists of XO/2 col- 
umns x YO/2 rows. The number of columns and the 

35 number of rows are sequentially reduced by 1/2 until the 
columns and rows are equal to or smaller than 64 pixels, 
or until the columns and the rows are equal. 
[0128] As a result of the layering of image data, the 
number of layers in one image file is required image 

40 attribute information, and the header information and 
the image data, which have been explained for the gen- 
eral image format, are also required for an image at 
each layer (see Fig. 10). The number of layers in one 
image file, the width and the height of an image at its 

45 maximum resolution, the width, the height and the color 
of an image having an individual resolution, and a com- 
pression method are stored in the Image Content Prop- 
erty Set area (see Fig. 13). 

[0129] The image at a layer at each resolution is 
so divided into tiles, each of which is 64 x 64 pixels, as is 
shown in Fig. 15. When an image is divided beginning 
at the left upper portion into tiles of 64 x 64 pixels, a 
blank space may occur in one part of a tile at the right 
edge or the lower edge. In this case, the rightmost 
55 image or the lowermost image is repeatedly inserted to 
construct a 64 x 64 pixel tile. 

[0130] In this FlashPixTM format, image data for the 
individual tiles are stored using either JPEG compres- 
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sion, or the single color or a non-compressed method. 
JPEG compression is the image compression tech- 
nique internationally standardized by ISO/1EC 
JTC1/SC29, and thus an explanation of this technique 
will not be given. The single color method is a technique s 
whereby when one tile is constructed entirely of pixels 
having the same color, the tile is expressed as a single 
color, with no individual pixel values being recorded. 
This method is especially effective for images that are 
generated using computer graphics. 
[01 31 J The image data that are thus divided into tiles 
are stored, for example, in the Subimage data stream in 
Fig. 11, and the total number of tiles, the sizes of the 
individual tiles, the location at which data begin, and the 
data compression method are stored in the Subimage 
Header area (see Fig. 1 6). 

[01 32 J In the first to the third embodiments, electronic 
watermark information can be embedded using various 
methods. 

[0133J Further, the first encryption to the third encryp- 
tion can also be implemented by employing various 
methods, such as an encryption system for altering the 
bit arrangement in consonance with an encryption key 
[0134] In addition, a hash value and its signature can 
be provided for all data that are to be transmitted. 
[0135] In these embodiments, the first encryption to 
the third encryption are performed during the electronic 
watermark information embedding process in order to 
prevent a third party from acquiring the information 
stored at the server, the user and the agency. However, 
DES (Data Encryption Standard) cryptography or a 
hash function may be employed to prevent wiretapping 
and the alteration of data across a communication path 
by a third party. 

[0136] Furthermore, in the first to the third embodi- 
ments, the server (or the author) is in charge of the 
detection of illegal data distribution. However, so long as 
electronic watermark extraction means is provided, any 
user can detect an illegal data distribution and user 
information that has been illegally distributed, even 
though he or she does not know the secret key for the 
first encryption or the second encryption. When an inci- 
dence of illegal data distribution is detected, the user 
need only notify the server for the verification process to 
be begun. Therefore, the process of detecting illegal 
distributions is not limited to the server. 
[0137] The server can embed in the image data not 
only the user information U but also other, needed infor- 
mation, such as copyright information and information 
concerning an image data distribution condition. In 
addition, to embed secret information, the server or the 
agency need only perform the embedding process fol- 
lowing the first encryption, so that in addition to the sig- 
nature information, information that is affected by the 
first encryption can be embedded in the image data. 
The user information U is not always embedded before 
the first encryption, and may be embedded after the first 
encryption (in this case, the detection of the user infor- 



mation U can be performed only by the server, the 
agency, or a person who knows the secret key used for 
the first encryption). 

[0138] When a user is a second entity that shares a 
printer or a terminal, the user's signature information 
and the second encryption may include the signature 
information and the encryption system for the printer or 
terminal that is used in common. 
[01 39] The f irst encrypted information from the server 
(or the author) may be widely distributed across a net- 
work or by using a CD-ROM, even without its distribu- 
tion being requested by the user based on the contract 
information. 

[0140] The signature information S for the user is not 
necessarily generated by the public key encryption 
method, but may be information (e.g., a code number) 
that is defined by the user based on the contract infor- 
mation. 

[0141] In the United States, to employ encryption for 
40 bits or more, a key management office is required to 
manage an encryption key in order to prevent the unau- 
thorized use of the cryptograph. The verification office 
30, therefore, can also serve as a key management 
office. And when the verification office 30 provides 
advance management of the secondary encryption key, 
the verification office 30 can by itself perform the verifi- 
cation processes 1) to 3) by performing the monitoring 
for an illegal image. The first encryption key of the 
server may be managed either by the same verification 
office, or by another key management office. And the 
keys of the server and the user may be generated and 
distributed by the key management office. 
[0142] In addition, instead of a single agency, a plural- 
ity of agencies may be provided hierarchically. In this 
case, a specific agency in charge of the hierarchical 
structure may perform the processing that the agency is 
in charge of, or the individual agencies may perform the 
protocol to specify an agency to be in charge. 
[0143] Further, in these embodiments, upon receiving 
a request, the server (or the author) has been responsi- 
ble for transmitting to the agency the first encrypted 
data E1 (G) or E1(G + M) of the original data. However, 
the server may transmit the data E1 (G) or E1(G + M) to 
the agency in advance. 

[0144] The third encryption performed by the agency 
does not affect the image data G w that is finally 
obtained. However, the image data Gw may be affected 
by the third encryption through the process whereby the 
user information U is embedded after the third encryp- 
tion, or whereby the signature information S is embed- 
ded after the third encryption. 

[0145] The objectives of the present invention can be 
achieved when a storage medium on which are stored, 
as software program code, the steps for implementing 
the functions of the host and the terminals in the first to 
the third embodiments is supplied to a system, or to the 
apparatus of the server, the agency or the user, and 
when the computer (or a CPU or an MPU) in the system 
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or the apparatus can perform the steps by reading the 
program code stored on the storage medium. 
[0146] In this case, the program code read from the 
storage medium is used to implement the functions of 
the above described embodiments. The storage 
medium on which the program code is stored consti- 
tutes the present invention. 

[0147] A storage medium for supplying such program 
code can be, for example, a ROM, a floppy disk, a hard 
disk, an optical disk, a magneto optical disk, a CD- 
ROM, a CD-R, a magnetic tape, or a nonvolatile mem- 
ory card. 

[0148] In addition, the scope of the present invention 
includes not only a case wherein the functions of the 
first to the third embodiments can be implemented when 
the program code is read and executed by the compu- 
ter, but also a case wherein, in accordance with an 
instruction included in the program code, the functions 
of the above embodiments are implemented when an 
OS that is running on the computer performs one part, 
or ali of the actual processing. 

[0149] Furthermore, the present invention includes a 
case wherein program code, read from a memory 
medium, is written into a memory that is mounted on a 
function expansion board that is inserted into a compu- 
ter, or on a function expansion unit that is connected to 
a computer, and in consonance with the program code 
instructions, a CPU mounted on the function expansion 
board, or on the function expansion unit, performs one 
part, or all of the actual processing in order to imple- 
ment the functions included in the first to the third 
embodiments. 

[0150] As is described above, according to the first to 
the third embodiments, information concerning the third 
entity (user) can be embedded by the second entity 
(agency). In this case, the third entity can not perform 
an illegal act. Further, the second entity can not directly 
embed in the original data information (user information 
U or signature information S) concerning the third entity, 
because this information is affected by a cryptograph 
(the first encryption and the cryptography used by the 
first encryption means) that only the first entity (the 
server or the author) knows, or a cryptograph (the sec- 
ond encryption and the cryptography used by the sec- 
ond encryption) that only the third entity knows. 
[0151] Therefore, an illegal data distribution can be 
prevented in a hierarchial network, and a safe system 
can be provided. Furthermore, the anonymity of the 
user can be easily implemented. 

(Fourth Embodiment) 

[01 52] A fourth embodiment of the present invention 
will now be described while referring to Fig. 1 7. 
[0153] An electronic watermark method according to 
the present invention is performed by, for example, a 
system 100 shown in Fig. 17, to which an electronic 
information distribution system according to the present 



invention has been applied. 

[0154] Specifically, the system 1 00 is a network sys- 
tem, which is constituted by multiple entities (not shown) 
that include a terminal 10 at a first entity side (hereinaf- 

5 ter referred to as a first terminal), a terminal 20 at a sec- 
ond entity side (hereinafter referred to as a second 
terminal), and a terminal 30 at a verification office side 
(hereinafter referred to as a verification terminal). The 
individual entities exchange digital data across the net- 

10 work 

[0155] The first terminal 10 comprises: a contract 
identification unit 1 1, for receiving data from the second 
terminal 20; an electronic watermark embedding unit 
1 2, for receiving, for example, the output of the contract 

is identification unit 1 1 and image data (digital data); a first 
encryption unit 13, for receiving the output of the elec- 
tronic watermark embedding unit 1 2; and a first decryp- 
tion unit 14, for receiving data from the second terminal 
20. The data for the first encryption unit 13 and the first 

20 decryption unit 14 are transmitted to the second termi- 
nal 20. 

[01 56] The second terminal 20 comprises: a contract 
generator 21, for transmitting data to the contract identi- 
fication unit 11 of the first terminal 10; a signature gen- 

25 erator 22; an electronic watermark embedding unit 23, 
for receiving data from the signature generator 22 and 
the first encryption unit 1 3 of the first terminal 10; a sec- 
ond encryption unit 24, for receiving data from the elec- 
tronic watermark embedding unit 23; and a second 

so decryption unit 25, for receiving the data from the first 
decryption unit 14 of the first terminal 10. The data from 
the second decryption unit 25 are output as image data 
with an electronic watermark The data from the second 
encryption unit 24 are transmitted to the first decryption 

35 unit 1 4 of the first terminal 1 0 and to the verification ter- 
minal 30. 

[0157] The verification terminal 30 comprises: a sec- 
ond decryption unit 31, for receiving data from the sec- 
ond encryption unit 24 of the second terminal 20; and 

40 an electronic watermark identification unit 32, for receiv- 
ing data from the second decryption unit 31. The data 
from the electronic watermark identification unit 32 are 
transmitted to the first terminal 10 and the second termi- 
nal 20, and the data from the second decryption unit 31 

45 are transmitted to the first decryption unit 14 of the first 
terminal 10. 

[01 58] In the thus arranged electronic information dis- 
tribution system according to this embodiment, the 
embedding processing is sorted into a first embedding 

so process for transmitting digital data from the servers or 
the authors to the agency shown in Fig. 4 or 5, and a 
second embedding process for transmitting digital data 
from the agency to the users. In this embodiment, the 
following protocol is the same as the one employed for 

55 the first and the second embedding processes. As a 
whole, the first embedding process is performed first, 
and then the second embedding process is performed. 
[01 59] In the following explanation, for the first embed- 
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ding process the first entity means a server or an author 
and the second entity means an agency. For the second 
embedding process the first entity means the agency 
and the second entity means a user. Therefore, at least 
the terminal used by the agency includes all the proces- 5 
sors provided for the first terminal 10 and the second 
terminal 20 in Fig. 17. 

[0160] A specific protocol for performing the first and 
the second embedding processes will now be described 
while referring to Fig. 17. According to this protocol, 10 
information concerning the first encryption, such as the 
method and a secret key, is available only to the first 
entity, and information concerning the second encryp- 
tion is available only to the second entity. It should be 
noted, however, that for these encryption processes a 15 
property exists that regardless of which encryption 
process is performed first, the encrypted data can be 
decrypted. Hereinafter, the encryption process is repre- 
sented by "EiQ," the decryption process is represented 
by T>iO" and the embedding process concerning an 20 
electronic watermark is represented by 
[0161] The processing performed by the thus 
arranged system 100 will now be described. An expla- 
nation will be given first for the electronic watermark 
embedding processing. 25 

[Embedding Process] 

[0162] 

30 

1) First, the second entity of the second terminal 20 
requests from the first terminal 10 (first entity) 
desired image data bearing its signature. The 
requested data is signature information that is gen- 
erated by the contract generator 21 and that is 35 
hereinafter called contract information. 

2) In the first entity of the first terminal 10, the con- 
tract identification unit 1 1 employs the signature of 
the second entity to identify the received contract 
information, and then prepares user information U 40 
using the contract information. The electronic 
watermark embedding unit 12 embeds in the 
requested image data G the user information U that 

is prepared by the contract identification unit 1 1 . 
The first encryption unit 13 performs the first 45 
encryption E1 Q for image data (G + U) in which the 
user information U has been embedded by the 
electronic watermark embedding unit 12, and trans- 
mits the obtained data to the second terminal 20. 
The second terminal 20, therefore, receives the first so 
encrypted image data E1(G + U) . 

3) In the second terminal 20, the signature genera- 
tor 22 generates signature information S using the 
secret key of the second entity. The electronic 
watermark embedding unit 23 embeds the signa- 55 
ture information S, generated by the signature gen- 
erator 22, in the first encrypted image data 
E1(G+ U) that have been transmitted (distributed) 



by the first terminal 10. The second encryption unit 
24 performs the second encryption for the first 
encrypted image data E1(G + U) + S , in which the 
signature information S is embedded by the elec- 
tronic watermark embedding unit 23. The obtained 
image data are then transmitted to the verification 
terminal 30. The verification terminal 30, therefore, 
receives the second encrypted image data 
E2(E1(G + U) + S). 

The second encryption unit 24 generates a 
hash value H2 for the second encrypted image data 
E2(E1(G + U) + S) , which are to be transmitted to 
the verification terminal 30. The second encryption 
unit 24 then provides a signature for the hash value 
H2, and except for the signature information S and 
the second encryption secret key, transmits it to the 
verification terminal 30 accompanied by secret 
information concerning the electronic watermark. 
The secret information constitutes information that 
concerns the embedding position and the strength 
required to detect an electronic watermark, and that 
is encrypted using another encryption method 
which is shared with the verification terminal 30. 
The hash value is a value obtained by calculating 
the hash function hQ, and the hash function is a 
compression function that seldom causes a colli- 
sion. A collision in this case would mean that for the 
different values x1 and x2, h(x1) ■ h(x2) . The com- 
pression function is a function for converting a bit 
string having a specific bit length into a bit string 
having a different bit length. Therefore, the hash 
function is a function hQ by which a bit string having 
a specific bit length is converted into a bit string 
having a different bit length, and for which values x1 
and x2 that satisfy h(x1) = h(x2) are not easily 
found. Since a value x that satisfies y = h(x) is not 
easily obtained from an arbitrary value y, accord- 
ingly, the hash function is a unidirectional function. 
Specific examples for the hash function are an MD 
(Message Digest) 5 or an SHA (Secure Hash Algo- 
rithm). 

4) The verification terminal 30 identifies the signa- 
ture accompanying the hash value H2 received 
from the second terminal 20, and confirms that the 
hash value H2 matches the hash value for the 
transmission data. After confirming the match, the 
second decryption unit 31 decrypts the second 
encrypted image data E2(E1(G + U) + S) received 
from the second terminal 20, and extracts the sig- 
nature information S therefrom. The electronic 
watermark identification unit 32 examines the sig- 
nature information S, and if the signature informa- 
tion S is correct, the verification information is 
prepared using the signature for the verification ter- 
minal 30. Finally, the verification terminal 30 trans- 
mits, to the first terminal 10, the second encrypted 
image data E2(E1 (G + U) + S) and the hash value 
H2 and its accompanying signature, all of which are 
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received from the second terminal 20, and the veri- 
fication information for them and its signature. 

5) In the first terminal 10, the first entity identifies 
the verification information and its accompanying 
signature received from the verification terminal 30, 5 
and also the second encrypted image data 
E2(E1(G + U) + S) , and the hash value H2 and its 
accompanying signature. After this confirmation 
process has been completed, the first decryption 
unit 14 decrypts the first encrypted portion of the 10 
second encrypted image data E2(E1(G + U) + S) 

to obtain image data E2(G+ U) + D1(E2(S)) . 
which is in turn transmitted to the second terminal 
20. 

6) In the second terminal 20, the second decryption is 
unit 25 decrypts the second encrypted portion of 

the image data E2(G + U + D1(E2(S)) received 
from the first terminal 10, and extracts image data 
G w in which is embedded an electronic watermark. 
Therefore, the image data G w that includes the 20 
electronic watermark is represented as 
G w = G + U + D1(S) . This means that the user 
information U and the signature information S for 
the second entity that are affected by the first 
decryption are embedded as electronic information 2s 
in the original image data. 

[0163] If in procedure 4) the verification terminal 30 
does not verify the electronic watermark information 
because either the first or the second entity committed 30 
an illegal act, notifications to that effect are transmitted 
to the first and the second terminals 10 and 20. Thus, 
when the trading is halted at this time, even though the 
first entity can not acquire the price of the data, at the 
same time it can prevent the image data from being ille- 35 
gaily obtained by the second entity; or even though the 
second entity can not obtain the image data, at the 
same time it does not have to pay the price of the data 
to the first entity. Therefore, since neither the first nor 
the second entity experiences a profit or a loss, the 40 
commission of an illegal act is senseless. 
[0164] Specifically, when the electronic watermark 
embedding process is performed, in the first embedding 
process the agency that constitutes the second entity 
can obtain image data G^ which includes an electronic 45 
watermark, that is prepared by embedding its own sig- 
nature information S in the original data G output by the 
server or by the author that constitutes the first entity. It 
should noted that when the user information and the 
signature information for the first embedding process 50 
are U1 and S1, the image data G w , which includes an 
electronic watermark, that the agency obtains is 
G W = G + U1 +D1(S1). 

[0165] Following this, the second embedding process 
is performed in the same manner (the agency is the first ss 
entity), while the image data G w , which includes an 
electronic watermark, that is obtained by the agency is 
employed as the original image. Then, the user who 



serves as the second entity can obtain the image data, 
which includes an electronic watermark, 
G ww = Q + U1 + D1(S1) + U2 + D3(S2) . The user 
information and signature information in the second 
embedding process are U2 and S2, and the encryption 
performed by the agency is represented as E30, while 
the decryption is represented as D3Q. 
[01 66] When an illegal copy (illegal image) is discov- 
ered, the party that committed the illegal act can be eas- 
ily identified by performing the following simple 
verification process. This verification process is broken 
down into a first verification process, which corresponds 
to the first embedding process and which is performed 
by the server or the author and the agency, and a sec- 
ond verification process, which corresponds to the sec- 
ond embedding process and which is performed by the 
agency and the user. The first verification process is 
performed first, and then the second verification proc- 
ess is performed. 

[0167] In the first verification process the user infor- 
mation and the signature information are U1 and S1, 
and the encryption and decryption performed by the 
agency are ESQ and D3Q- In the second verification 
process the user information and signature information 
are U2 and S2. The image data are not affected by the 
modification and the deletion of electronic watermark 
information. 

[Verification Process] 

[0168] 

1) In the first verification process, the first entity of 
the first terminal 10 extracts user information LT 
from the illegal image data G w * - G + LT + D1 (S*) 
that was discovered. Further, the first entity per- 
forms the first encryption for the illegal image data 
G w ' and extracts signature information S'. When the 
user information LT is not extracted, it is ascertained 
that the first entity committed the illegal act. 

2) When the correct signature information S' is 
extracted in the first verification process (S* = S), 
the second verification process is initiated. The 
same procedure is performed in the second verifi- 
cation process. When the correct signature infor- 
mation is found, it is ascertained that the second 
entity committed the illegal act. This is because 
only the second entity could prepare the correct sig- 
nature information as the first entity could have no 
knowledge of the correct signature information. 

3) When the correct signature information is not 
extracted (S* * S), it is ascertained that the first 
entity committed the illegal act. 

[01 69] According to the electronic watermark method 
according to the fourth embodiment, the encryption of 
digital data and the embedding process for an electronic 
watermark are performed by the first and the second 



21 



41 



EP 0 932 298 A2 



42 



terminals 10 and 20, and the encryption and the identi- 
fication of correct electronic watermark information are 
performed by the verification terminal 30. Therefore, 
even when the first entity or the second entity individu- 
ally prepares an illegal copy, the illegal act an be easily 
detected, and in addition, the perpetrator of the illegal 
act can be easily identified. 

[0170] Furthermore, according to this method, since 
the verification office examines the results of the first 
embedding process and of the second embedding proc- 
ess, collusion is not effective, so that the collusion of the 
server or the author with the agency and the user would 
not occur. Even if such a collusion should occur, an ille- 
gal act can be easily detected. The safety of this proc- 
ess is established based on the premise that the 
verification office is trustworthy. 

(Fifth Embodiment) 

[0171] Recently, the transfer of money across net- 
works, a fund transfer procedure that is called electronic 
cash, has come to be employed. Since as with a regular 
cash payment, the name of the owner of an electronic 
cash transfer is not identified, anonymity is attained, rf 
the attainment of anonymity were not possible, a seller 
of a product could obtain from an electronic cash trans- 
fer information concerning a purchaser and the use of 
its product, and the privacy of a user would not be pro- 
tected. Therefore, the protection of the privacy of a user 
is as important as is the protection provided for a copy- 
right granted to a creator who uses an electronic water- 
mark. 

[0172] In a fifth embodiment, therefore, the anonymity 
of a user is provided for a purchaser, and when an ille- 
gal act, such as the illegal distribution of images, is dis- 
covered, it is possible to identify an unauthorized 
distributor, which is the original purpose of an electronic 
watermark. This is achieved by employing, for example, 
a system 200 shown in Fig. 18. 
[01 73] The system 200 has the same structure as has 
the system 100 for the fourth embodiment, while an 
anonymous public key certificate, which is issued by a 
certification office 40, is provided for a second terminal 
20. 

[0174] Generally, in order to authenticate signature 
information, a certificate issued by an organization 
called a certification office is added to a public key that 
is used when examining the signature information. 
[01 75] A certification office is an organization that 
issues certificates for public keys assigned to users to 
provide public key authentication that is consonant with 
the requirements of the public key encryption system. 
That is, a certification office employs its own secret key 
to provide a signature for a user's public key, or for data 
concerning the user, and for this purpose prepares and 
issues a certificate. When a user receives from another 
user a signature that is accompanied by a certificate, 
the user examines the certificate using the public key of 



the certification office to verify the authentication pro- 
vided by the user who transmitted the public key (or, at 
the least, the fact that authentication has been provided 
the user by the certification office). Both VeriSign and 
5 CyberTrust are well known organizations that operate 
such certification offices. 

[01 76] When at procedure 2) of the second embed- 
ding process in the fourth embodiment an agency 
examines a signature to verify the contract information 
10 submitted for a user, the agency can employ the public 
key with a signature issued by the certification office 40 
in Fig. 18. However, since the name of the owner of the 
public key is generally written in the certificate, user 
anonymity is not provided at the time data are pur- 
rs chased. 

[0177] On the other hand, if the certification office 40 
keeps secret the correspondence of public keys and 
their owners, the name of an owner may not be written 
in a certificate issued for a public key. An anonymous 

20 certificate for a public key is hereinafter called an "anon- 
ymous public key certificate," and a public key for which 
such a certificate is provided is called an "anonymous 
public key with a certificate." In procedure 1) of the 
above described second embedding process, when a 

25 user transmits to a server not only contract information 
but also a signature for the contract information and an 
anonymous public key, accompanied by a certificate, to 
enable the examination of the signature information S, 
the user can remain anonymous when purchasing dig- 

30 itai data. 

[01 78] Therefore, the anonymous public key, accom- 
panied by the certificate, is transmitted to the agency as 
information to be used for user verification. And when 
an illegal transaction is discovered and the user must be 

35 identified, the anonymous public key, accompanied by 
the certificate, is transmitted to the certification office 40 
with a request for the user name which corresponds to 
that of the owner of the public key. Therefore, when pro- 
cedures 1) and 2) in the second embedding process 

40 and procedure 1) in the second verification process in 
the second embodiment are performed as follows, the 
anonymity of a user when purchasing digital data can 
be maintained, but when an illegal transaction is discov- 
ered, the user responsible for the perpetration of the 

45 transaction can be identified. 

[0179] The embedding process and the verification 
process performed by the system 200 in Fig. 18 will be 
specifically described. 

50 [Embedding Process] 

[0180] 

1) First, in the second terminal 20, a contract gen- 
55 erator 21 provides, for contract information for 
requesting desired image data, a signature that cor- 
responds to an anonymous public key accompa- 
nied by a certificate issued by the certification office 
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40. Together with the anonymous public key 
accompanying the certificate, the second terminal 
20 transmits the contract information to the first ter- 
minal 10. 

2) In the first terminal 10, a contract identification 
unit 1 1 examines the public key of the second entity 
by using the public key of the certification office 40. 
And the contract identification unit 1 1 identifies the 
signature for the contract information using the 
anonymous public key of the second entity, and 
after the confirmation process is completed, pre- 
pares user information U using, at the least, either 
the contract information or the anonymous public 
key. An electronic watermark embedding unit 12 
embeds, in image data G, the user information U 
that is prepared by the contract identification unit 
11. A first encryption unit 13 performs first encryp- 
tion E1Q for the image data G, and transmits the 
obtained data to the second terminal 20. Thus, the 
second terminal receives the first encrypted image 
data E1(G + U). 

Since the procedures 3) to 6) are the same as those 
in the fourth embodiment, no explanation for them 
will be given here. 

[Verification Process] 

[0181] 

1) In the second verification process, the first termi- 
nal 10 extracts user information from the illegal 
image data G^' that is discovered. The first termi- 
nal 10 further performs the first encryption for the 
illegal image data G^ 1 and extracts signature infor- 
mation therefrom. The first terminal 10 then sub- 
mits, to the certification office 40, the extracted user 
information and the anonymous public key that was 
obtained from the contract information, and 
requests the name of the second entity that corre- 
sponds to the anonymous public key. When the 
user information is not extracted, it is ascertained 
that the first entity committed an illegal act. 
The procedures 2) and 3) are the same as those in 
the fourth embodiment. 

[0182] As is described above, according to the fifth 
embodiment, when purchasing digital data a user can 
also maintain his or her anonymity relative to the verifi- 
cation office. 

(Sixth Embodiment) 

[0183] In a sixth embodiment, an explanation will be 
given for the overall processing where the server or the 
author in Fig. 4 or 5 distributes digital data to the user 
via the agency. The sixth embodiment of the present 
invention will be described while referring to Fig. 19. 
Specifically, an electronic watermark method according 



to the sixth embodiment is performed by a system 300 
shown in Fig. 19, to which the electronic information dis- 
tribution system of the present invention is applied. 
[0184] In the sixth embodiment, the system 300 is a 
5 network system, which is constituted by multiple entities 
(not shown) that include a terminal 50 on the server side 
(hereinafter referred to as a server terminal), a terminal 
60 on the agency side (hereinafter referred to as an 
agency terminal), a terminal 70 on the user side (here- 
to inafter referred to as a user terminal), and a terminal 30 
on the verification office side (hereinafter referred to as 
a verification terminal). The individual entities exchange 
digital data across the network. 

[01 85] The server terminal 50 comprises: a first 
15 encryption unit 51, for receiving, for example, image 
data (digital data); and a first decryption unit 52, for 
receiving data from the user terminal 70 and the verifi- 
cation terminal 30. The data from the first encryption 
unit 51 are transmitted to the agency terminal 60, and 
20 the data from the first decryption unit 52 are transmitted 
to the user terminal 70. 

[0186] The agency terminal 60 comprises: a contract 
identification unit 61, for receiving data from the user 
terminal 70; and an electronic watermark embedding 

25 unit 62, for receiving the output of the first encryption 
unit 51 of the user terminal 50. The data output by the 
electronic watermark unit 61 are transmitted to the user 
terminal 70 and the verification terminal 30. 
[0187] The user terminal 70 comprises: a contract 

so generator 71 , for transmitting data to the contract identi- 
fication unit 61 of the agency terminal 60; a signature 
generator 72; an electronic watermark embedding unit 
73, for receiving data from the signature generator 72 
and the electronic watermark embedding unit 62 of the 

35 agency terminal 60; a second encryption unit 74, for 
receiving data from the electronic watermark embed- 
ding unit 73; and a second decryption unit 75, for receiv- 
ing data from the first decryption unit 52 of the server 
terminal 50. The data from the second decryption unit 

40 75 are transmitted as image data that include an elec- 
tronic watermark The data from the second encryption 
unit 74 are transmitted to the first decryption unit 52 of 
the server terminal 50 and the verification terminal 30. 
[0188] The verification terminal 30 comprises: a sec- 

45 ond decryption unit 31 , for receiving data from the elec- 
tronic watermark embedding unit 62 of the agency 
terminal 60 and the second encryption unit 74 of the 
user terminal 70; and an electronic watermark identifi- 
cation unit 32, for receiving data from the second 

so decryption unit 3 1 . The data of the electronic watermark 
unit 32 are supplied to the first decryption unit 52 of the 
server terminal 50. 

[0189] The processing performed by the thus 
arranged system 300 will now be explained. For the pro- 
55 tocol shown in Fig. 19, information concerning the first 
encryption, such as the method and its secret key, is 
available only to the server or the author, and informa- 
tion concerning the second encryption is available only 
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to the user. It should be noted, however, that for these 
encryption processes a property exists whereby regard- 
less of which encryption process is performed first, the 
encrypted data can be decrypted. While the hierarchical 
system as shown in Fig. 5 is employed in the following 5 
explanation, this explanation can be applied for the sys- 
tem shown in Fig. 4 by replacing the author with the 
server. 

[Embedding Process] 10 
[0190] 

1) First, the user terminal 70 requests that the 
agency terminal 60 provide it desired image data is 
bearing its signature. The requested data is infor- 
mation (user's signature information) that is gener- 
ated by the contract generator 71 and that is 
hereinafter called contract information. In the 
agency terminal 60, the contract identification unit 20 
61 employs the signature of the user to identify the 
received contract information, and then forwards a 
request to the server terminal (author) 50 for image 
data. Upon receiving this request, the first encryp- 
tion unit 51 of the server terminal 50 performs the 25 
first encryption E1Q of image data G and transmits 

the obtained data to the agency terminal 60. 

2) In the agency terminal 60, the contract identifica- 
tion unit 61 prepares user information U using the 
contract information received from the user terminal 30 
70. The electronic watermark embedding unit 62 
embeds the user information U, generated by the 
contract identification unit 61 , in the first encrypted 
image data E1(G) that were transmitted by the 
server terminal 50. The user terminal 70, therefore, 35 
receives the first encrypted image data E1(G) + U 
with the included user information U 

The electronic watermark embedding unit 62 of 
the agency terminal 60 transmits, to the verification 
terminal 30, secret information concerning an eiec- 40 
tronic watermark. The secret information is infor- 
mation that concerns the embedding position and 
strength for the detection of an electronic water- 
mark, and that is encrypted by another encryption 
method that is shared with the verification terminal 45 
30. 

3) In the user terminal 70, the signature generator 
22 generates signature information S using the 
secret key of the user. The electronic watermark 
embedding unit 73 embeds in the first encrypted so 
image data E1(G) + U that have been transmitted 
(distributed) by the agency terminal 60 the signa- 
ture information S generated by the signature gen- 
erator 72. The second encryption unit 74 performs 

a second encryption for the first encrypted image 55 
data E1(G) + U + S in which the signature informa- 
tion S has been embedded by the electronic water- 
mark embedding unit 73, and the obtained image 



data are then transmitted to the verification terminal 
30. Therefore, the verification terminal 30 receives 
the second encrypted image data 
E2(E1(G) + U + S). 

At this time, the second encryption unit 74 of 
the user terminal 70 generates a hash value H2 for 
the second encrypted image data 
E2(E1 (G) + U + S) that are to be transmitted to the 
verification terminal 30. The second encryption unit 
74 then provides a signature for the hash value H2, 
and together with secret information concerning the 
electronic watermark and the second encryption 
secret key, transmits it to the verification terminal 
30. 

4) The verification terminal 30 identifies the signa- 
ture accompanying the hash value H2 received 
from the user terminal 70, and confirms that the 
hash value H2 matches the hash value for the 
transmission data. After the confirmation process is 
completed, the second decryption unit 31 decrypts 
the second encrypted image data 
E2(E1(G) + U + S) received from the user terminal 
70, and extracts, therefrom, the user information U 
and the signature information S. The electronic 
watermark identification unit 32 then examines the 
user information U and the signature information S, 
and if the information U and S is correct, the verifi- 
cation information is prepared using the signature 
of the verification terminal 30. Finally, the verifica- 
tion terminal 30 transmits, to the server terminal 50, 
the second encrypted image data 
E2(E1 (G) + U + S) , and the hash value H2 and its 
accompanying signature, all of which are received 
from the user terminal 70, and the verification infor- 
mation for them and its accompanying signature. 

5) In the server terminal 50, the author identifies the 
verification information and its accompanying sig- 
nature received from the verification terminal 30, 
and also the second encrypted image data 
E2(E1(G) + U + S) , and the hash value H2 and its 
accompanying signature. After this confirmation 
process has been completed, the first decryption 
unit 52 decrypts the first encrypted portion of the 
second encrypted image data E2(E1(G) + U + S) 
to obtain image data E2(G) + D1(E2(U + S)) , 
which in turn is transmitted to the user terminal 70. 

6) In the user terminal 70, the second decryption 
unit 75 decrypts the second encrypted portion of 
the image data E2(G) + D1(E2(U + S)) received 
from the server terminal 50, and extracts image 
data G w in which is embedded an electronic water- 
mark Therefore, the image data G w and the 
included electronic watermark are represented by 
G W = G+D1(U + S). This means that the user 
information U and the user's signature information 
S that are affected by the first decryption are 
embedded as electronic information in the original 
image data. 
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[0191] If in procedure 4) the verification terminal 30 
does not verify that the electronic watermark informa- 
tion is correct, either because the author or the user has 
committed an illegal act, notifications to that effect are 
transmitted to the server terminal 50, the agency termi- 5 
nal 60 and the user terminal 70. Since even when trad- 
ing is halted at this time, none of them experiences a 
profit or a loss, the commission of an illegal act is sense- 
less. When an illegal copy (illegal image) G w ' is discov- 
ered, the party who committed the illegal act can be w 
easily identified by performing the following simple veri- 
fication processing. It should be noted that the image 
data are not affected by the modification and the dele- 
tion of electronic watermark information. 

15 

[Verification Process] 
[0192] 

1) First, in the server terminal 50, the author per- 20 
forms the first encryption of the illegal image data 
Gw' and extracts the user information U. When the 
user information U is not extracted, it is ascertained 
that the author committed an illegal act 

2) When the correct user information U is extracted, 25 
signature information is extracted from data 
obtained by the first encryption of the illegal image 
data Gw'. 

3) When the correct signature information is 
extracted, it is ascertained that the user committed 30 
an illegal act. This is because the correct signature 
information can be prepared only by the user and 

the author, as the agency can have no knowledge 
of the signature information. 

4) If the correct signature information is not 35 
extracted, it is ascertained that the author commit- 
ted an illegal act. 

[01 93] According to the electronic watermark method 
according to the sixth embodiment, the encryption of 40 
digital data and the embedding process for an electronic 
watermark are performed by the server terminal 50, the 
agency terminal 60 and the user terminal 70, and the 
encryption and the identification of correct electronic 
watermark information are performed by the verification 45 
terminal 30. Therefore, when the author, the agency or 
the user has individually prepared an illegal copy, the 
illegal act can be easily detected, and the illegal party 
can be easily identified. Furthermore, according to this 
method, since the verification office examines the so 
results of the first embedding process and of the second 
embedding process, collusion is not effective, so that 
the collusion of the server or the author with the agency 
and the user could not occur. Even if such a collusive 
act should occur, the illegal act could be easily detected, ss 
The safety of this process is based on the premise that 
the verification office is trustworthy. 



(Seventh Embodiment) 

[01 94] In a seventh embodiment as well as in the sixth 
embodiment, an explanation will be given for the overall 
processing where the server or the author in Fig. 4 or 5 
distributes digital data to the user via the agency. The 
seventh embodiment of the present invention will be 
described while referring to Fig. 20. Specifically, an 
electronic watermark method according to the seventh 
embodiment is performed by a system 400 shown in 
Fig. 20, to which the electronic information distribution 
system of the present invention is applied. 
[0195] In the seventh embodiment, the system 400 is 
a network system, which is constituted by multiple enti- 
ties (not shown) that include a server terminal 50, an 
agency terminal 60, a user terminal 70 and a verification 
terminal 30. The individual entities exchange digital 
data across the network. 

[01 96] The server terminal 50 comprises: a first 
encryption unit 51, for receiving, for example, image 
data (digital data); and a first decryption unit 52, for 
receiving data from the user terminal 70 and the verifi- 
cation terminal 30. The data from the first encryption 
unit 51 are transmitted to the agency terminal 60, and 
the data from the first decryption unit 52 are transmitted 
to the user terminal 70. 

[0197] The agency terminal 60 comprises: a contract 
identification unit 61, for receiving data from the user 
terminal 70; an electronic watermark embedding unit 
62, for receiving the output of the contract identification 
unit 61 and the first encryption unit 51 of the user termi- 
nal 50; and an electronic watermark embedding unit 63, 
for receiving data from the user terminal 70. The data 
output by the electronic watermark unit 61 are transmit- 
ted to the user terminal 70 and the verification terminal 
30. Also, the output of the electronic watermark embed- 
ding unit 63 are transmitted to the server terminal 50 
and the verification terminal 30. 

[0198] The user terminal 70 comprises: a contract 
generator 71 , for transmitting data to the contract identi- 
fication unit 61 of the agency terminal 60; a signature 
generator 72; a second encryption unit 74, for receiving 
data from the electronic watermark embedding unit 62 
of the agency terminal 60; and a second decryption unit 
75, for receiving data from the first decryption unit 52 of 
the server terminal 50. The data from the second 
decryption unit 75 are transmitted as image data that 
include an electronic watermark. The data from the sec- 
ond encryption unit 74 are transmitted to the electronic 
watermark embedding unit 63 of the agency terminal 60 
and the verification terminal 30. 

[0199] The verification terminal 30 comprises: a sec- 
ond decryption unit 31 , for receiving data from the elec- 
tronic watermark embedding unit 63 of the agency 
terminal 60 and the second encryption unit 74 of the 
user terminal 70; and an electronic watermark identifi- 
cation unit 32, for receiving data from the second 
decryption unit 31 and from the electronic watermark 
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embedding unit 63 of the agency terminal 60. The data 
of the electronic watermark unit 32 are supplied to the 
first decryption unit 52 of the server terminal 50. 
[0200] The processing performed by the thus 
arranged system 400 will now be explained. For the pro- 
tocol shown in Fig. 20, information concerning the first 
encryption, such as the method and its secret key, is 
available only to the server or the author, and informa- 
tion concerning the second encryption is available only 
to the user. It should be noted, however, that for these 
encryption processes a property exists whereby regard- 
less of which encryption process is performed first, the 
encrypted data can be decrypted. While the hierarchical 
system as shown in Fig. 5 is employed in the following 
explanation, this explanation can be applied for the sys- 
tem shown in Fig. 4 by replacing the author with the 
server. 

[Embedding Process] 
[0201] 

1) First, the user terminal 70 requests that the 
agency terminal 60 provide it desired image data 
bearing its signature. The requested data is infor- 
mation (user's signature information) that is gener- 
ated by the contract generator 71 and that is 
hereinafter called contract information. In the 
agency terminal 60, the contract identification unit 
61 employs the signature of the user to identify the 
received contract information, and then forwards a 
request to the server terminal (author) 50 for image 
data. Upon receiving this request, the first encryp- 
tion unit 51 of the server terminal 50 performs the 
first encryption E10 of image data G and transmits 
the obtained data E1 (G) to the agency terminal 60. 

2) In the agency terminal 60, the contract identifica- 
tion unit 61 prepares user information U using the 
contract information received from the user terminal 
70. The electronic watermark embedding unit 62 
embeds the user information U, generated by the 
contract identification unit 61, in the first encrypted 
image data E1(G) that were transmitted by the 
server terminal 50. The user terminal 70, therefore, 
receives the first encrypted image data E1(G) + U 
with the included user information U. 

3) In the user terminal 70, the second encryption 
unit 74 performs the second encryption of the first 
encrypted image data E1 (G) + U received from the 
agency terminal 60, and transmits to the agency 
terminal 60 the obtained image data 
E2(E1(G) + U) . The signature generator 72 gener- 
ates signature information S that only the user can 
prepare, and, together with the second encrypted 
image data E2(E1(G) + U) , transmits it to the 
agency terminal 60. Furthermore, the second 
encryption unit 74 transmits the second encryption 
secret key to the verification terminal 30. 



4) In the agency terminal 60 the electronic water- 
mark embedding unit 63 embeds signature infor- 
mation S in the second encrypted image data 
E2(E(G) + U) , the information in both cases having 
5 been received from the user terminal 70, and trans- 

mits the obtained image data to the verification ter- 
minal 30. Thus, the verification terminal 30 receives 
the second encrypted image data 
E2(E1(G) + U) + S and its accompanying signa- 
ge ture information. 

At this time, the agency terminal 60 generates 
a hash value H2 for the second encrypted image 
data E2(E1 (G) + U) + S that are to be transmitted 
to the verification terminal 30. The agency terminal 
is 60 then provides a signature for the hash value H2, 
and, together with the secret information concern- 
ing the electronic watermark and the second 
encryption secret key, transmits it to the verification 
terminal 30. The secret information is information 
20 that concerns the embedding position and the 
strength required to detect an electronic water- 
mark, and that is encrypted by another encryption 
method that is shared with the verification terminal 
30. 

25 5) The verification terminal 30 identifies the signa- 
ture accompanying the hash value H2 received 
from the agency terminal 60, and confirms that the 
hash value H2 matches the hash value for the 
transmission data. After the confirmation process is 

30 completed, the electronic watermark identification 
unit 32 extracts signature information S from the 
second encrypted image data E2(E1{G) + U) + S , 
which is received from the agency terminal 60. The 
second decryption unit 31 decrypts the second 

35 encrypted image data E2(E1 (G) + U + S) received 
from the user terminal 70, and extracts the user 
information U therefrom. 

The electronic watermark identification unit 32 
examines the user information U and the signature 

40 information S. If the information U and S is correct, 
the verification information is prepared using the 
signature of the verification terminal 30. Finally, the 
verification terminal 30 transmits, to the server ter- 
minal 50, the second encrypted image data 

45 E2(E1 (G) + U) + S , and the hash value H2 and its 

accompanying signature, all of which have been 
received from the agency terminal 60, and the veri- 
fication information for them and its signature. 
6) In the server terminal 50, the author identifies the 

50 verification information, and its accompanying sig- 
nature, received from the verification terminal 30, 
and also the second encrypted image data 
E2(E1 (G) + U) + S , and the hash value H2 and its 
accompanying signature. After this confirmation 

55 process has been completed, the first decryption 
unit 52 decrypts the first encrypted portion of the 
second encrypted image data E2(E1(G) + U) + S 
to obtain image data E2(G) + D1(E2(U) + S) , 
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which in turn is transmitted to the user terminal 70. 
7) In the user terminal 70, the second decryption 
unit 75 decrypts the second encrypted portion of 
the image data E2(G) + D1(E2(U) + S) received 
from the server terminal 50, and extracts image s 
data G w in which is embedded an electronic water- 
mark. Therefore, the image data Gw that includes 
the electronic watermark is represented by 
G w =G + D1(U + D2(S)) . This means that the 
user information U that is affected by the first ro 
decryption and the users signature information S 
that is affected by both the first and the second 
decryption are embedded as electronic information 
in the original image data. 

15 

[0202] If in procedure 5) the verification terminal 30 
does not verify the electronic watermark information, 
either because the author or the user committed an ille- 
gal act, notifications to that effect are transmitted to the 
server terminal 50, the agency terminal 60 and the user 20 
terminal 70. Since even when trading is halted at this 
time, none of them experiences either a profit or a loss, 
the commission of an illegal act is senseless. When an 
illegal copy (illegal image) G^ is discovered, the party 
who committed the illegal act can be easily identified by 25 
performing the following simple verification process. It 
should be noted that the image data are not affected by 
the modification and the deletion of electronic water- 
mark information. 

30 

[Verification Process] 
[0203] 

1) First, in the server terminal 50, the author per- 35 
forms the first encryption for the illegal image data 
G w ' and extracts the user information U. When the 
user information U is not extracted, rt is ascertained 
that the author committed an illegal act. 

2) When the correct user information LT is 40 
extracted, the server terminal 50 submits, to the 
verification terminal 30, the first encrypted image 
data G w ' and the user information U\ and requests 
that they be examined. The verification terminal 30 
performs the second encryption for the first 45 
encrypted image data G^' (its encryption function is 
not shown), and extracts the signature information. 

3) When the correct signature information is 
extracted, it is ascertained that the user committed 

an illegal act. so 

4) When the correct signature information is not 
extracted, it is ascertained that the author commit- 
ted an illegal act. 

[0204] According to the electronic watermark method 55 
of the seventh embodiment, the encryption of digital 
data and the embedding process for an electronic 
watermark are performed by the server terminal 50, the 



agency terminal 60 and the user terminal 70, and the 
encryption and the identification of correct electronic 
watermark information are performed by the verification 
terminal 30. Therefore, even when the author, the 
agency or the user individually prepares an illegal copy, 
the illegal act an be easily detected. In addition, the ille- 
gal party can be easily identified. Furthermore, accord- 
ing to this method, since the verification office examines 
the results of the first embedding process and of the 
second embedding process, collusion is not effective, 
so that the collusion of the server or the author with the 
agency and the user would not occur. Even if such a col- 
lusion should occur, an illegal act could be easily 
detected. The safety of this process is based on the 
premise that the verification office is trustworthy. 

(Eighth Embodiment) 

[0205] According to an eighth embodiment, in the 
arrangement for the sixth embodiment shown in Fig. 18, 
when a user purchases digital data the anonymity of the 
user can be maintained, as in the fifth embodiment, and 
when an illegal act, such as the distribution of an illegal 
image, is discovered the party who committed the illegal 
act can be identified- This is implemented by using, for 
example, a system 500 shown in Fig. 21. The system 
500 has the same arrangement as that of the system 
300 in the sixth embodiment, except that a user terminal 
70 receives an anonymous public key certificate from a 
certification office 40. 

[0206] In this embodiment, as well as in the fifth 
embodiment, if the certification office 40 keeps secret 
the correspondence of public keys and the names of 
their owners, an owner's name is not entered in a certif- 
icate issued for a public key. In procedure 1) of the 
embedding process of the sixth embodiment, when a 
user transmits to a server not only contract information, 
but also a signature for the contract information and an 
anonymous public key accompanied by a certificate to 
be used to examine the signature information S, the 
user can remain anonymous when purchasing digital 
data. 

[0207] Therefore, the anonymous public key, accom- 
panied by the certificate, is transmitted to the agency as 
identification information for the user. Then, when an 
illegal act is discovered, the anonymous public key, 
accompanied by the certificate, is transmitted to the cer- 
tification office 40 and the name of the user that corre- 
sponds to the public key is requested in order that the 
user can be identified. Therefore, when procedure 1) in 
the embedding process and procedure 1) in the verifica- 
tion process in the sixth embodiment are changed as 
follows, the anonymity of a user when purchasing digital 
data can be maintained, while if an illegal act is discov- 
ered, the party who committed the illegal act can be 
identified. 

[0208] It should be noted that a user can remain anon- 
ymous when purchasing digital data, and that when an 
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illegal act is discovered, the party who committed the 
illegal act can be identified by changing procedure 1) in 
the embedding process and procedure 1) in the verifica- 
tion process in the seventh embodiment as follows. 
[0209] The embedding process and the verification s 
process performed by the system 500 in Fig. 21 will now 
be specifically explained. 

[Embedding Process] 

10 

[0210] 

1) First, in the user terminal 70, a contract genera- 
tor 71 provides, for contract information issued to 
request desired data, a signature that corresponds is 
to an anonymous public key accompanied by a cer- 
tificate issued by the certification office 40. The 
contract generator 71 then transmits, to an agency 
terminal 60, the anonymous public key and the con- 
tract information accompanying the signature. In 20 
the agency terminal 60, a contract identification unit 
61 identifies the received contract information by 
using the anonymous public key, and then requests 
the image data from the author. Upon receiving the 
request, a first encryption unit 51 in a server termi- 25 
nal 50 performs the first encryption E10 of image 
data G, and transmits the obtained image data 
E1 (G) to the agency terminal 60. 
Since the procedures 2) to 6) are the same as those 
in the sixth embodiment, no explanation for them 30 
will be given. 

[Verification Process] 

[0211] 35 

1) In the server terminal 50, the first encryption unit 
51 performs the first encryption of the illegal image 
data Gvy' that is discovered, and extracts user infor- 
mation therefrom. The server terminal 50 submits 40 
to the certification office 40 the extracted user infor- 
mation and the anonymous public key identified 
using the contract information, and requests the 
user's name that corresponds to the anonymous 
public key. When the user information is not 45 
extracted, it is ascertained that the author commit- 
ted the illegal act. 

Procedures 2) to 4) are the same as those in the 
sixth embodiment. 

50 

[021 2] As is described above, according to the eighth 
embodiment, when purchasing digital data a user can 
remain anonymous relative to the verification office. 
[0213] Various data, to include image data in the 
fourth to the eighth embodiments and hash values 55 
obtained during the embedding process for electronic 
watermark information, can be stored using the above 
described image format. According to the general 



image format, for example, image data that are trans- 
mitted at individual steps can be stored in an image data 
portion, and a corresponding hash value and its signa- 
ture can be stored in an image header portion. Further- 
more, a hash value and its accompanying signature, 
which the user must retain, and the second encryption 
key can be stored in the image header portion, while 
image data having an electronic watermark can be 
stored in the image data portion. 
[0214] In the fourth to the eighth embodiments, elec- 
tronic watermark information can be embedded using 
various methods. 

[0215] Further, the first encryption and the second 
encryption can also be implemented by employing vari- 
ous methods, such as an encryption system for altering 
the bit arrangement in consonance with an encryption 
key. In addition, a hash value and its signature can be 
provided for ail data that are to be transmitted. In these 
embodiments, the first encryption and the second 
encryption are performed during the electronic water- 
mark information embedding process in order to prevent 
the server, the user and the agency from acquiring each 
other the information stored thereat. However, DES 
(Data Encryption Standard) cryptography or a hash 
function may be employed to prevent wiretapping and 
the alteration of data across a communication path by a 
third party. 

[021 6] Furthermore, in the fourth to the eighth embod- 
iments, the first entity (the server or the author) is in 
charge of the detection of illegal data distribution. How- 
ever, so long as electronic watermark extraction means 
is provided, any user can detect an illegal data distribu- 
tion and user information that has been illegally distrib- 
uted, even though he or she does not know the secret 
key for the first encryption or the second encryption. 
When an incidence of illegal data distribution is 
detected, the user need only notify the first entity for the 
verification process to be begun. Therefore, the process 
of detecting illegal distributions is not limited to the first 
entity. 

[021 7] The first entity or the agency can embed in the 
image data not only the user information U but also 
other, needed information, such as copyright informa- 
tion and information concerning an image data distribu- 
tion condition. In addition, to embed secret information, 
the first entity need only perform the embedding proc- 
ess following the first encryption, so that in addition to 
the signature information, information that is affected by 
the first encryption can be embedded in the image data. 
The user information U is not always embedded before 
the first encryption, and may be embedded after the first 
encryption (in this case, the detection of the user infor- 
mation U can be performed only by the first entity or a 
person who knows the secret key used for the first 
encryption). 

[0218] When the second entity is a user who shares a 
printer or a terminal, the signature information for the 
second entity and the second encryption may include 
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the signature information and the encryption system for 
the printer or terminal that is used in common. The first 
encrypted information from the first entity may be widely 
distributed across a network or by using a CD-ROM, 
even without its distribution being requested by the sec- 5 
ond entity based on the contract information. The signa- 
ture information S for the second entity is not 
necessarily generated by the public key encryption 
method, but may be information (e.g., a code number) 
that is defined by the user based on the contract infor- 10 
mation. 

[021 9] In the United States, to employ encryption for 
40 bits or more, a key management office is required to 
manage an encryption key in order to prevent the unau- 
thorized use of the cryptograph. The verification office is 
30, therefore, can also serve as a key management 
office. And when the verification office provides 
advance management of the secondary encryption key, 
the verification office can by itself perform the verifica- 
tion processes 1) to 3) by performing the monitoring for 20 
an illegal image. The first encryption key of the first 
entity may be managed either by the same verification 
office, or by another key management office. And the 
keys of the first entity and the second entity may be gen- 
erated and distributed by the key management office. 25 
[0220] In addition, instead of a single agency, a plural- 
ity of agencies may be provided hierarchically. In this 
case, a specific agency in charge of the hierarchical 
structure may perform the processing that the agency is 
in charge of, or the individual agencies may perform the 30 
protocol to specify an agency to be in charge. When 
only one agency is provided as is shown in Fig. 5, 
embedding of user information U1 concerning the 
agency may be omitted. 

[0221] Further, upon receiving a request, the author 35 
has been responsible for transmitting to the agency the 
first encrypted data E1(G) of the original data G. How- 
ever, the author may transmit the data E1(G) to the 
agency in advance. 

[0222] The agency described in the sixth and the fol- 40 
lowing embodiments does not perform encryption E30 
and decryption D3Q. However, the data may be 
encrypted using the encryption process E30 after the 
data have first been received from the author, or the 
data may be decrypted using the decryption process 45 
D3Q before the data are transmitted to the author. 
[0223] As is described above, according to the above 
described electronic watermark embedding method and 
system, the data encryption process and the electronic 
watermark embedding process are distributed and so 
processed by a plurality of means or entities. An illegal- 
ity occurring at least one of the encryption process and 
the electronic watermark embedding process, which are 
performed by the means or the entities, is verified by a 
means or an entity other than the above means and 55 
entities. Therefore, when data are illegally copied and 
distributed across a hierarchical network, the illegal act 
and the party who committed the illegal act can be pre- 



cisely identified. As a result, the commission of illegal 
acts can be prevented, and a safe system that protects 
against the illegal distribution of data can be provided. 
In addition, this system can easily be applied for a key 
management office that maintains the anonymity of a 
user and prevents the illegal encryption of data. 
[0224] The ninth to twelfth embodiments of the 
present invention will now be described while referring 
to Figs. 22 to 26. 

[0225] Fig. 22 is a schematic diagram illustrating in its 
entirety the arrangement of an electronic information 
distribution system according to a ninth embodiment of 
the present invention. As its contents, server S holds 
electronic information, and Agencies A1 to Am make 
contract with the server S for the distribution of elec- 
tronic information. The agencies A1 to Am, by issuing 
requests, obtain from the server S, as electronic infor- 
mation, the data they desire, and store the received 
data. 

[0226] Users U11 to U1n make contract with the 
agency A1 to obtain electronic information servicing. 
Users submit requests to the agency A1 for the distribu- 
tion of its stored contents, and upon receiving them, 
stores them as electronic information. The relationship 
between the agencies A2 to Am and the users U21 to 
2n and Um1 to Umn is the same as that which exists 
between the agency A1 and the users U1 1 to U1n. 
[0227] In this embodiment, the following electronic 
watermark superimposition method is applied to the 
system in Fig. 22. The specific embodiments for the 
electronic watermark superimposition method will now 
be described while referring to Figs. 23 to 26. 
[0228] The processing is broken down into a process 
1 , wherein the server S in Fig. 22 transmits image data 
as electronic information to the agencies A1 to Am, and 
process 2, wherein the agencies A1 to Am transmit 
image data to the users U11 to Umn. In the following 
embodiments, which employ the electronic watermark 
superimposition method, the same or substantially the 
same protocol is employed for processes 1 and 2. Proc- 
ess 1 is performed first, and then process 2 is per- 
formed. A specific protocol for processes 1 and 2 will be 
explained. 

(Ninth Embodiment) 

[0229] The ninth embodiment will now be described 
while referring to Fig. 23. 

[0230] The network system includes a first entity, ter- 
minal 10, a second entity, terminal 20, and a verification 
office terminal 30. The first entity, terminal 10 com- 
prises: a contract identification unit 11, for receiving 
data from the terminal 20; a first electronic watermark 
embedding unit 12, for receiving, for example, image 
data (digital data); a first encryption unit 13, for receiving 
the output of the first electronic watermark embedding 
unit 12; a first decryption unit 14, for receiving data from 
the terminal 20; a second electronic watermark embed- 
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ding unit 15, for receiving data from the terminal 20 and 
from the first decryption unit 14; and a hash generator 
16, for receiving the output of the second electronic 
watermark embedding unit 15. The outputs of the first 
encryption unit 1 3 and the hash generator 1 6 are trans- 5 
mitted to the terminal 20. And the output of the second 
electronic watermark embedding unit 15 is transmitted 
both to the hash generator 16 and to the terminal 20. 
[0231] The second entity terminal 20 comprises: a 
contract generator 21, for transmitting data to the con- 10 
tract identification unit 1 1 of the terminal 10; a signature 
generator 22; a second encryption unit 24, for receiving 
data from the first encryption unit 13 of the terminal 10; 
a second decryption unit 25, for receiving data from the 
second electronic watermark embedding unit 15 and is 
from the first encryption unit 1 4 in the terminal 1 0 ; and a 
hash identification unit 27, for receiving data from she 
second electronic watermark embedding unit 15 and 
the hash generator 16 of the terminal 10. The data pro- 
duced by the second decryption unit 25 is output as 20 
data that is accompanied by an electronic watermark. 
The data produced by the second encryption unit 25 are 
transmitted to the first decryption unit 14 of the terminal 
10. The data produced by the signature generator 22 
are transmitted to the second electronic watermark unit 25 
15 of the terminal 10. 

[0232] In the above system, information concerning 
the first encryption process, such as the method used 
and a secret key, is only that which is available to the 
server; information concerning the second encryption 30 
process is only that which is available to the second 
entity. It should be noted, however, that a property of 
these encryption processes is that regardless of which 
encryption process is performed first, a message can 
be deciphered by employing the decryption process. 35 
[0233] Hereinafter, the encryption process is repre- 
sented by "BO," the decryption process is represented 
by "DiO" and the embedding process concerning an 
electronic watermark is represented by "+." 
[0234] An explanation will now be given for the 40 
processing performed by the system in Fig. 23. The 
electronic watermark embedding process will be 
explained first. 

[Embedding Process] 45 
[0235] 

1) First, the second entity, terminal 20, requests 
desired image data bearing the user's signature so 
from the terminal 10. The requested data is infor- 
mation (signature information for the second entity) 
that is generated by the contract generator 21 and 
that is hereinafter called contract information. 

2) In the terminal 10, the contract identification unit ss 
1 1 identifies the received contract information using 

the signature for the second entity, and after that, 
prepares user information U using the contract 



information. The first electronic watermark embed- 
ding unit 12 embeds, in the requested image data 
G, the user information U that is prepared by the 
contract identification unit 11. The first encryption 
unit 13 performs a first encryption process EQ for 
image data (G + U), in which the user information U 
is embedded by the first electronic watermark 
embedding unit 12, and transmits the resultant 
image data to the terminal 20. Thus, the terminal 20 
receives the first encrypted image data E1(G + U) . 

3) In the terminal 20, the second encryption unit 24 
performs a second encryption process for the first 
encrypted image data E1 (G + U) received from the 
terminal 10, and transmits the obtained second 
encrypted image data E2(E1(G + U) to the termi- 
nal 10. 

At this time, in the second entity, the signature 
generator 22 uses its own secret key to generate 
signature information S and transmits it to the termi- 
nal 10. 

4) In the terminal 10, the first decryption unit 14 
decrypts the first encrypted portion of the second 
encrypted image data E2(E1(G + U)) received 
from the terminal 20. The second electronic water- 
mark embedding unit 15 identifies the signature 
information S received from the terminal 20. And 
the second electronic watermark embedding unit 
15 embeds the signature information S in the image 
data E2(G + U) that is generated by the first 
decryption unit 14, and transmits the obtained 
image data to the terminal 20. Further, the hash 
generator 16 generates a hash value H1 for the 
transmission data E2(G + U) + S) , signs it, and, 
together with the image data E2(G + U) + S , trans- 
mits the obtained hash value H1 to the terminal 20. 
As a result, the terminal 20 receives the image data 
E2(G + U) + S and the hash value H1, with its 
accompanying signature. 

The hash value is a value obtained by calculat- 
ing the hash function hQ, and the hash function is a 
compression function that seldom causes a colli- 
sion. A collision in this case would mean that for the 
different values x1 and x2, h(x1) = h(x2) . The com- 
pression function is a function for converting a bit 
string having a specific bit length into a bit string 
having a different bit length. Therefore, the hash 
function is a function hQ by which a bit string having 
a specific bit length is converted into a bit string 
having a different bit length, and for which values x1 
and x2 that satisfy h(x1) = h(x2) are not easily 
found. Since a value x that satisfies y = h(x) is not 
easily obtained from an arbitrary value y, accord- 
ingly, the hash function is a unidirectional function. 
Specific examples for the hash function are an MD 
(Message Digest) 5 or an SHA (Secure Hash Algo- 
rithm). 

5) The hash identification unit 27 of the terminal 20 
identifies the hash value H1 and its accompanying 
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signature that are received from the terminal 10, 
and confirms that the hash value H1 matches the 
hash value that is generated using the data 
E2(G + U) + S) . After the confirmation process has 
been completed, the data E2(G + U) + S and the 5 
hash value H1 and its accompanying signature are 
stored. 

[0236] The second decryption unit 25 decrypts the 
second encrypted portion of the data E2(G + U) + S , 10 
and extracts image data in which is embedded an 
electronic watermark. This indicates that the user infor- 
mation U and the second encrypted signature informa- 
tion S are embedded as electronic watermark 
information in the original image data. 15 
[0237] As is described above, according to the elec- 
tronic watermark embedding method of this embodi- 
ment, since the first entity is fully in charge of the 
embedding of electronic watermark information, basi- 
cally, the second entity can not commit an illegal act. 20 
The first entity receives signature information S directly 
from the second entity and embeds it as electronic 
watermark information. However, since through proce- 
dure 5) of the embedding process signature information 
D2(S) obtained by the terminal 20 is affected by the sec- 25 
ond encryption, which only the second entity can per- 
form, the first entity can not cause the second entity to 
be accused of a crime by directly embedding signature 
information D2(S) in the original image. 
[0238] When the above described embedding process 30 
is performed, in process 1 the agency can obtain image 
data Gw having an electronic watermark wherein his or 
her signature information is embedded in the original 
image G of the server or the author. Assuming that the 
user information and signature information in process 1 35 
are U1 and S1 and that the encryption and decryption 
performed by the agency are represented as EaQ and 
Da2Q, the image having the electronic watermark 
obtained by the agency is represented by 
G w = G + U1 + Da2(S1) . When in process 2 the 40 
same embedding process is performed while the 
image data of the agency are employed as the 
original image data, the user can acquire image 
data having an electronic watermark, 
G ww = G+ U1 + Da2(S1) + U2 + Du2(S2) . In this 45 
case, assume that the user information and signature 
information in process 2 are U2 and S2, and the encryp- 
tion and the decryption performed by the user are Eu2Q 
and Du2(). 

[0239] When an illegal copy G^' is discovered, a so 
party who has performed the illegal act is identified by 
the following verification process. This verification proc- 
ess is broken down into verification 1, which corre- 
sponds to process 1 for verifying the server or the 
author and the agency, and verification 2, for verifying 55 
the agency and the user. Verification process 1 is per- 
formed first, and then verification process 2 is per- 
formed. In verification 1 the user information and the 



signature information are defined as U1 and S1 , and the 
encryption and decryption performed by the agency are 
Ea2Q and Da2Q. In verification 2 the user information 
and the signature information are defined as U2 and S2, 
and the encryption and decryption performed by the 
user are Eu2fJ and Du2Q. 

[0240] It should be noted that image data are not 
affected by the modification or the deletion of electronic 
watermark information. 

[Verification Process] 

[0241] 

1) First, in verification 1 for the server S and 
the agency A, the terminal 10 on the server 
side (the first entity) extracts user information 
UV from the illegal image data 
WW ' = G + U ? + U2 , + Da(S1 *) + Du2(S2') . When 
the user information LT can not be extracted, it is 
ascertained that the server S committed the illegal 
act. 

2) The server S, which is the first entity, submits the 
illegal image G^' and the extracted user informa- 
tion U1' to the verification office, and requests that 
the verification office 30 examine agency A, which 
is the second entity. 

3) The verification office 30 requests that the sec- 
ond entity submit the second encryption key stored 
therein. The verification office 30 performs the sec- 
ond encryption for the illegal image G^' to extract 
signature information Sr. 

4) If the correct signature information SV is 
extracted, i.e., if SV = S1 , it is ascertained that the 
server S, which is the first entity, did not commit the 
illegal act, and program control moves to verifica- 
tion 2. 

5) When correct signature information is not 
extracted in procedure 4), i.e., when S1 ' is not equal 
to S1, the verification office 30 examines the data 
Ea2(G + U1) + S1 , and the hash value H1 and its 
accompanying signature S1, all of which are trans- 
mitted by the server S, which is the first entity, to the 
agency A, which is the second entity. And the verifi- 
cation office 30 confirms that the hash value H1 
matches the hash value obtained from 
Ea2(G + U1) + S1 . Then, the verification office 30 
decrypts the data Ea2(G + U1) + S1 using the sec- 
ond encryption key that was submitted by the 
agency A in procedure 3), and extracts image data 
G w , in which is embedded an electronic watermark. 

6) When the correct image data in which are 
embedded an electronic watermark can not be 
extracted, it is ascertained that the agency A com- 
mitted the illegal act. This means that the second 
encryption key in procedure 3) is not correct. 

7) When the correct image data in which is embed- 
ded an electronic watermark can be extracted, it is 
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ascertained that the server S committed the illegal 
act. 

[0242] An explanation will now be given for verifi- 
cation 2, which is performed when it is ascertained s 
in procedure 4) that the server S did not commit 
the illegal act. in verification 2, user information U' 
is extracted from the illegal image data 
G WW ' = G + U1'+ U2' + Da2(S1 ') + Du2(S2') . When 
the user information U2* is not extracted, it is ascer- 10 
tained that the agency A, which is the first entity, com- 
mitted the illegal act. 

[0243] As in procedure 2) above the agency A, which 
serves as the first entity in verification 2, submits the ille- 
gal image data G^' and the extracted user information is 
U2' to the verification office 30, and requests that the 
verification office 30 examine the user U, which is the 
second entity. As in procedure 3), the verification office 
30 requests that the second entity submit the second 
encryption key stored therein, and extracts signature 20 
information S2' by performing the second encryption for 
the illegal image data G^'. When the correct signature 
information S' is extracted, i.e., when S2' = S2 , it is 
ascertained that the user, which is the second entity, 
committed the illegal act. 25 
[0244] When the correct signature information S2' can 
not be extracted, i.e., when the signature information 
S2' does not match S2, as in procedure 5) the verifica- 
tion office 30 examines the data Eu2(G w + U2) + S2 , 
and the hash value H1 ' and its accompanying signature 30 
S2, all of which are transmitted by the agency A, which 
is the first entity, to the user U, which is the second 
entity. The verification office 30 then confirms that the 
hash value Hr matches the hash value obtained from 
the data Eu2(G w + U2) + S2 , and after this, the verifi- 35 
cation office 30 decrypts the data Eu2(G w + U2) + S2 
by employing the second encryption key submitted by 
the user U, and extracts the image data G^ in which is 
embedded an electronic watermark. 

[0245] When the correct image data in which is 40 
embedded the electronic watermark can not be 
extracted, it is ascertained, as in procedure 6), that the 
user U, which is the second entity, committed the illegal 
act. This means that the second encryption key submit- 
ted by the user is not correct. When the correct image 45 
data in which is embedded the electronic watermark 
can be extracted, it is ascertained, as in procedure 7), 
that the agency A, which is the first entity, committed the 
illegal act. 

[0246] As is described above, substantially the same so 
procedures are performed for verification 1 and verifica- 
tion 2, and only the definitions for the first and the sec- 
ond entities need be changed. Also, the party who has 
committed the illegal act can be identified in the same 
manner. 55 
[0247] As is apparent from the verification process, 
the terminal of the verification office 30 includes the 
same functions as does the second encryption unit 24, 
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the second decryption unit 25 and the hash identifica- 
tion unit 27 of the terminal 20. 

[0248] In the above embodiment, since processes 1 
and 2 are independently performed, collusion is sense- 
less. For example, even should the agency collude with 
the user, the user can not affect the process 1 . Further- 
more, even should the server collude with the agency, or 
the server collude with the user, neither the user nor the 
agency could obtain the final image data that includes 
an electronic watermark that is affected by the encryp- 
tion performed by the user or the agency. 
[0249] There is no need for the verification office 30 
until an illegal image is discovered, and no illegal act 
can be determined to have been performed until an ille- 
gal image has been discovered. In addition, so long as 
the above described verification processing is well 
known, and the first and the second entities monitor the 
results of that processing, an illegal act by them can be 
detected in accordance with the situation, even without 
the verification office being involved. 

(Tenth Embodiment) 

[0250] Recently, the transfer of money across net- 
works, a fund transfer procedure that is called electronic 
cash, has come to be employed. Since as with a regular 
cash payment, the name of the owner of an electronic 
cash transfer is not identified, anonymity is attained. If 
the attainment of anonymity were not possible, a seller 
of a product could obtain from an electronic cash trans- 
fer information concerning a purchaser and the use of 
its product, and the privacy of a user would not be pro- 
tected. Therefore, the protection of the privacy of a user 
is as important as is the protection provided for a copy- 
right granted to a creator who uses an electronic water- 
mark. 

[0251 ] In a tenth embodiment, therefore, the anonym- 
ity of a user is provided for a purchaser, and when an 
illegal act, such as the illegal distribution of images, is 
discovered, it is possible to identify an unauthorized dis- 
tributor, which is the original purpose of an electronic 
watermark This is achieved by employing, for example, 
a system shown in Fig. 24. 

[0252] The system has the same structure as has the 
system 100 for the ninth embodiment, while an anony- 
mous public key certificate, which is issued by a certifi- 
cation office 40, is provided for a user terminal 20. 
[0253] Generally, in order to authenticate signature 
information, a certificate issued by an organization 
called a certification office is added to a public key that 
is used when examining the signature information. 
[0254] A certification office is an organization that 
issues certificates for public keys assigned to users to 
provide public key authentication that is consonant with 
the requirements of the public key encryption system. 
That is, a certification office employs its own secret key 
to provide a signature for a user's public key, or for data 
concerning the user, and for this purpose prepares and 
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issues a certificate. When a user receives from another 
user a signature that is accompanied by a certificate, 
the user examines the certificate using the public key of 
the certification office to verify the authentication pro- 
vided by the user who transmitted the public key (or, at 5 
the least the fact that authentication has been provided 
the user by the certification office). Both VeriSign and 
CyberTrust are well known organizations that operate 
such certification offices. 

[0255] When at procedure 2) of the embedding proc- 10 
ess in the ninth embodiment a first entity examines a 
signature to verify the contract information submitted for 
a user (second entity), the first entity can employ the 
public key with a signature issued by the certification 
office 40 in Fig. 24. However, since the name of the 15 
owner of the public key is generally written in the certifi- 
cate, user anonymity is not provided at the time data are 
purchased. 

[0256] On the other hand, if the certification office 40 
keeps secret the correspondence of public keys and 20 
their owners, the name of an owner may not be written 
in a certificate issued for a public key. An anonymous 
certificate for a public key is hereinafter called an "anon- 
ymous public key certificate," and a public key for which 
such a certificate is provided is called an "anonymous 25 
public key with a certificate." In procedure 1) of the 
above described embedding process, when a user U 
transmits to a server not only contract information but 
also a signature for the contract information and an 
anonymous public key, accompanied by a certificate, to so 
enable the examination of the signature information S, 
the user can remain anonymous when purchasing dig- 
ital data. 

[0257] Therefore, the anonymous public key, accom- 
panied by the certificate, is transmitted to the agency A 35 
as information to be used for verification of the user U. 
And when an illegal transaction is discovered and the 
user must be identified, the anonymous public key, 
accompanied by the certificate, is transmitted to the cer- 
tification office 40 with a request for the user name 40 
which corresponds to that of the owner of the public key. 
Therefore, when procedures 1) and 2) in the embedding 
process and procedures 1) and 2) in the verification 
process in the ninth embodiment are performed as fol- 
lows, the anonymity of the user U when purchasing dig- 45 
ital data can be maintained, but when an illegal 
transaction is discovered, the user responsible for the 
perpetration of the transaction can be identified. 
[0258] The embedding process and the verification 
process performed by the system in Fig. 24 will be spe- so 
cifically described. 

[0259] in the system shown in Fig. 24, the same refer- 
ence numerals as are used in the system in Fig. 23 are 
also used to denote corresponding components, and a 
specific explanation is given only for those portions that ss 
are different. Since the processing is the same as that 
for the ninth embodiment, except for procedures 1) and 
2) in the embedding process and procedures 1) and 2) 



in the verification process, no detailed explanation for 
them will be given. 

[Embedding Process] 
[0260] 

1) First, in the second entity (user) terminal 20, a 
contract generator 21 provides, as contract infor- 
mation for requesting desired image data, a signa- 
ture that corresponds to an anonymous public key 
that is accompanied by a certificate issued by a cer- 
tification office 40. Together with the anonymous 
public key and the accompanying certificate, the 
second terminal 20 transmits the contract informa- 
tion to the first entity (agency), terminal 10. 

2) In the first entity, terminal 10, a contract identifi- 
cation unit 1 1 examines the public key belonging to 
the second entity (user) by using the public key of 
the certification office 40. And the contract identifi- 
cation unit 1 1 identifies the signature for the con- 
tract information using the anonymous public key of 
the second entity, and after the confirmation proc- 
ess is completed, prepares user information U 
using at least either the contract information or the 
anonymous public key. A first electronic watermark 
embedding unit 12 embeds, in image data G, the 
user information U that is prepared by the contract 
identification unit 11. A first encryption unit 13 per- 
forms first encryption E1() for the image data G, 
and transmits the obtained data to the second 
entity, terminal 20. Thus, the second entity, terminal 
20. receives the first encrypted image data 
E1(G+U). 

Hereinafter procedures 3) to 5) in the embedding 
process in the ninth embodiment are performed. 

[0261] Procedures 1) and 2) in the embedding proc- 
ess in the tenth embodiment an be applied for either or 
for both of the previously mentioned processes 1 and 2. 
While generally anonymity is not very important to the 
agency, to maintain privacy the user's anonymity is very 
important, and it is more particularly important in this 
embodiment because the embedding process is 
employed when the agency distributes its contents as 
electronic information to the user. 
[0262] Therefore, as a modification of the embodi- 
ment, a hierarchical system is more effective when the 
system shown the ninth embodiment in Fig. 23 is 
employed for the distribution of electronic information by 
the server to the agency, and when the system for the 
tenth embodiment shown in Fig. 24 is employed for the 
distribution of electronic information by the agency to 
the user. That is, in the hierarchical system, the privacy 
of the user can be protected while the number of 
requests submitted to the certification office 40 can be 
held to the minimum possible. 
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[Verification Process] 

[0263] The verification process is very effective when 
it is applied to verification 2 in the ninth embodiment. 
Therefore, an explanation will be given while assuming 5 
that procedures 1) and 2) below are applied to the veri- 
fication performed by the agency and the user, i.e., ver- 
ification 2. At this time, it is assumed that it was 
ascertained in procedure 4) of verification 1 that the 
server S did not commit an illegal act. w 

1) First, in verification 2 for the agency A and 
the server S, the terminal 10 on the agency 
side (the first entity) extracts user information 

U2' from the illegal image data is 
G ww f = G + UV + U2' + Da2(Sl ? ) + Du(S2') . 
When the user information U2* can not be 
extracted, it is ascertained that the agency A com- 
mitted the illegal act. When the user information U2 
is extracted, the extracted user information U2 and 20 
the anonymous public key obtained from the con- 
tract information are submitted to the certification 
office 40 to request the user name that corresponds 
to the public key. 

2) The agency A, which is the first entity, submits 25 
the illegal image G^' and the extracted user infor- 
mation U2' to the verification office, and requests 

the verification office examine the user whose 
name corresponds to the public key. 
The above described procedures 3) to 7) in the ver- 30 
ification process in the ninth embodiment are per- 
formed. 

[0264] As is described above, according to the tenth 
embodiment, when purchasing digital data the user can 35 
remain anonymous relative to the verification office. 

(Eleventh Embodiment) 

[0265] An eleventh embodiment will now be described 40 
while referring to Fig. 25. The eleventh embodiment dif- 
fers from the ninth embodiment in that the signature 
information for the second entity is embedded as an 
electronic watermark by a second entity terminal 20, 
instead of a first entity terminal 10. The same reference 45 
numerals as are used in Fig. 23 are also used to 
describe corresponding components in Fig. 25. No 
explanation will be given for processing that is identical 
to that in the ninth embodiment. 

[0266] A terminal 1 0 comprises: a contract identifica- so 
tion unit 1 1 , for receiving data from the terminal 20; an 
electronic watermark embedding unit 12, for receiving, 
for example, image data (digital data); a first encryption 
unit 13, for receiving the output of the electronic water- 
mark embedding unit 12; a first decryption unit 14, for ss 
receiving data from the terminal 20; a hash identification 
unit 35, for receiving data from the terminal 20 and from 
the first decryption unit 34; and a hash generator 36, for 



receiving the output of the first decryption unit 34. The 
outputs of the first encryption unit 1 3 and the hash gen- 
erator 36 are transmitted to the terminal 20. And the out- 
put of the first decryption unit 34 is transmitted both to 
the hash generator 36 and to the terminal 20. 
[0267] The second entity terminal 20 comprises: a 
contract generator 21; for transmitting data to the con- 
tract identification unit 11 of the terminal 10; a signature 
generator 22; an electronic watermark embedding unit 
43, for receiving data from the signature generator 22 
and from the first encryption unit 13 of the terminal 10; 
a second encryption unit 44, for receiving data from the 
electronic watermark embedding unit 43; a hash gener- 
ator 46, for receiving the output of the second encryp- 
tion unit 44; and a second decryption unit 45, for 
receiving data from the first decryption unit 34 of the ter- 
minal 10; and a hash identification unit 47, for receiving 
data from the first decryption unit 34 and the hash gen- 
erator 36 of the terminal 1 0. The data produced by the 
second decryption unit 45 are output as data in which 
an electronic watermark is embedded. 
[0268] The data produced by the second encryption 
unit 44 are transmitted to the first decryption unit 34 and 
the hash identification unit 35 of the terminal 10. The 
data produced by the hash generator 36 are transmitted 
to the hash identification unit 35 of the terminal 1 0. 
[0269] The electronic watermark embedding process 
performed by the system in Fig. 25 will now be 
described. 

[Embedding Process] 
[0270] 

Since the procedures 1) and 2) are the same as 
those for the ninth embodiment, no explanation for 
them will be given. 

3) In the terminal 20, the signature generator 22 
generates signature information S using the secret 
key belonging to the second entity. 

The electronic watermark embedding unit 43 
embeds the signature information S generated by 
the signature generator 22 in the first encrypted 
image data E1(G+ U) that have been transmitted 
(distributed) by the terminal 10. 

The second encryption unit 44 performs the 
second encryption for the first encrypted image 
data E1(G + U) + S in which the signature informa- 
tion S is embedded by the electronic watermark 
embedding unit 43. The obtained image data are 
transmitted to the first entity terminal 10. 

The terminal 10, therefore, receives the second 
encrypted image data E2(E1 (G + U) + S) . 

The hash generator 46 generates a hash value 
H2 for the second encrypted image data 
E2(E1(G + U) + S) that are to be transmitted to the 
terminal 10. The hash generator 46 then provides a 
signature for the hash value H2, and transmits it to 



34 



67 



EP 0 932 298 A2 



68 



the terminal 10, with secret information, other than 
the signature information S, concerning the elec- 
tronic watermark 

The secret information is information that con- 
cerns the embedding position and the strength s 
required to detect an electronic watermark that is 
encrypted by another encryption method that is 
shared with the terminal 10. 

4) In the terminal 10, the hash identification unit 35 
identifies the signature for the hash value H2 10 
received from the user terminal 20, and confirms 
that the hash value H2 matches the hash value of 
the data to be transmitted. After the confirmation 
process has been completed, the hash value H2 is 
stored. is 

The first decryption unit 34 decrypts the first 
encrypted portion of the second encrypted image 
data E2(E1 (G + U) + S) received from the terminal 
20, and transmits the obtained image data to the 
terminal 20. 20 

In this manner, the user terminal 20 receives 
the image data E2(G + U) + D1(E2(S)) . 

The hash generator 36 generates a hash value 
H1 for the image data E2(G + U) + D1(E2(S)) that 
are to be transmitted to the terminal 20. The hash 25 
generator 36 then provides a signature for the hash 
value H1 , and transmits it to the terminal 20. 

5) In the terminal 20, the hash identification unit 47 
identifies the signature for the hash value H1 
received from the server terminal 10, and confirms so 
that the hash value H1 matches the hash value of 
the data to be transmitted. After the confirmation 
has been completed, the hash value H1 is stored. 

The second decryption unit 45 decrypts the 
second encrypted portion of the image data 35 
E2(G + U) + D1(E2(S)) received from the terminal 
10, and extracts image data G w in which is embed- 
ded an electronic watermark. 

Therefore, the image data in which is 
embedded an electronic watermark is represented 40 
by G w = G + U + D1 (S) . This means that the elec- 
tronic watermark (user information) U and the elec- 
tronic watermark (signature information) that is 
affected by the first decryption are embedded in the 
original image data G. 45 

The image data G^, in which is embedded the 
electronic watermark are stored. 

As is described above, the user information U 
is not affected by the encryption, and the signature 
information S is affected by the first decryption. so 

[0271 ] When the above described embedding process 
is performed, in process 1 the agency can obtain image 
data G w , in which is embedded an electronic water- 
mark, wherein his or her signature information is ss 
embedded in the original image G of the server or the 
author. Assuming that the user information and the sig- 
nature information in process 1 are U1 and S1, the 



encryption and decryption performed by the user are 
Es1Q arid Ds10. the encryption and decryption per- 
formed by the agency are represented by as EaQ and 
Da2Q, and the image in which is embedded the elec- 
tronic watermark obtained by the agency is represented 
by G w = G + U1 + Ds1(S1). When in process 2 the 
same embedding process is performed while the 
image data G w of the agency are employed as 
the original image data, the user can acquire 
image data having an electronic watermark, 
G ww =0 + U1 + Ds1(S1) + U2 + Da1(S2) , wherein 
the encryption and decryption performed by the agency 
are Ea1Q and Da1Q- In this case, assume that and the 
user information and the signature information in proc- 
ess 2 are U2 and S2. 

[0272] When illegal copy G^' is discovered, as in the 
ninth embodiment, the verif ication processing is broken 
down into verification 1 , which corresponds to process 
1 , for verifying the server or the author and the agency, 
and verification 2, for verifying the agency and the user. 
Verification process 1 is performed first, and then verifi- 
cation process 2 is performed. In verification 1 the user 
information and the signature information are defined as 
U1 and S1, and the encryption and decryption per- 
formed by the server are Es1Q and Ds1Q In the verifi- 
cation 2 the user information and the signature 
information are defined as U2 and S2, and the encryp- 
tion and decryption performed by the agency are Ea1 0 
and DaO- 

[0273] It should be noted that image data are not 
affected by the modification or the deletion of electronic 
watermark information, as in the ninth and the tenth 
embodiments. 

[Verification Process] 

[0274] 

1) First, in verification 1 for the server S and 
the agency A, the terminal 10 on the server 
side (the first entity) extracts user information 
Ur from the illegal image data 
G WW ' = G + LT + U2' + Ds1 (S1) + Da1 (S2') . Also, 
the terminal 20 performs first encryption Es1Q for 
the image data G^* and extracts signature infor- 
mation S1'. When the user information UV can not 
be extracted, it is ascertained that the server S 
committed the illegal act. 

2) If the correct signature information SV is 
extracted, i.e., if SV = S1 , the server S submits the 
signature information SV to the verification office 
30, i.e., it is ascertained that the server S, which is 
the first entity, did not commit the illegal act. Pro- 
gram control moves to verification 2. 

3) When the correct signature information can not 
be extracted in procedure 2), i.e., when ST does 
not match S1 , to request verification the server S, 
which is the first entity, submits to the verification 
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office 30 the stored hash value for the second 
encrypted image data Ea2(Es1(G + U1) + S1) and 
its accompanying signature, the first encryption 
secret key, and secret information concerning the 
illegal image data G^'. s 

4) Upon receiving the request in procedure 3), the 
verification office 30 ascertains that the correct sig- 
nature information S1 can not be extracted from the 
illegal image data G^'. Then, the verification office 

30 examines the submitted hash value H2 and its to 
accompanying signature in order to confirm that the 
hash value of the second encrypted image data 
Ea2(Es1(G + U1) + S1) matches the hash value 
H2 that has been submitted. 

After the confirmation process has been com- is 
plated, the verification office 30 decrypts the first 
encrypted portion of the second encrypted image 
data Ea2(Es1(G + U1) + S1) and obtains the 
image data Ea2(G + U1) + Ds1(Ea2(S1)) . The 
verification office 30 confirms that the hash value 20 
for the obtained data matches the hash value H1 
that is held by the agency A, which is the second 
entity. At this time, the signature for the hash value 
H1 is also identified. 

5) When in procedure 4) the hash value for the data 25 
Ea2(G + U1) + Ds1 (Ea2(S1)) does not match the 
hash value H1, it is ascertained that the server S, 
which is the first entity, committed the illegal act. 
This means that the secret keys for the first encryp- 
tion in procedure 4) of the embedding process and 30 
in procedure 4) of the verification process differ. 

6) When the two hash values match, the verification 
office requests that the agency A, which is the sec- 
ond entity, decrypt the second encrypted portion of 
the data Ea2(G + U1) + Ds1(Ea2(S1)) that is 35 
obtained in procedure 4) of the verification process. 
And the verification office 30 extracts the signature 
information S1 from the resultant image data. 

7) When the correct signature information S1 is not 
extracted, i.e., when S1' does not match SI, it is 40 
ascertained that the agency A committed the illegal 
act. 

8) When the correct signature information is 
extracted, it is ascertained that it was not the 
agency, but the server S that committed the illegal 45 
act. 

[0275] Next, an explanation will be given for veri- 
fication 2 performed when it is ascertained that the 
sever S did not commit the illegal act. In ver- so 
ification 2, as in procedure 1), the user information 
U2' is extracted from the illegal image 
G WW ' = G+U1' + U2 , + Ds1 (S1 ') + Da1 (S2 1 ) . Also, the 
first encryption Ea1Q is performed for the image data 
Gww' to extract signature information S2\ When the user 55 
information U2' can not be extracted, it is ascertained 
that the agency A committed the illegal act. 
[0276] When the correct signature information S2' is 



extracted, as in procedure 2) above, i.e., when 
S2' = S2 , the agency A submits the signature informa- 
tion S2' to the verification office 30 to ascertain whether 
the user U committed the illegal act. 
[0277] This is because the signature information S2 r 
is prepared only by the user U, the server S and the 
agency A having no knowledge of the signature infor- 
mation S2\ It should be noted that the legality of the sig- 
nature information S2' can be verified by determining 
whether or not predetermined information, which is 
defined in advance by the contract information, can be 
output by employing a public key that corresponds to the 
secret key the user employs when generating the signa- 
ture information. 

[0278] When the correct information S2 is not 
extracted, as in procedure 3), to request verification, 
the agency A, which is the first entity, submits to 
the verification office 30 the hash value H2 for the 
stored second encrypted image data 
Eu2 (Ea1 (G + U1 + U2 + Ds1 (S1)) + S2) and its 
accompanying signature, the secret key for the first 
encryption, and the secret information concerning the 
illegal image G^'. 

[0279] As in procedure 4), the verification office 30 
determines that the correct signature information S2 
can not be extracted from the illegal image G^'. The 
verification office 30 examines the hash value H2 and 
the signature that are submitted, and confirms that the 
hash value for the second encrypted image data 
Eu2(Ea1 (G + U1 + U2 + Ds1 (S1 )) + S2) matches the 
hash value H2 that has been submitted. After 
the confirmation process in completed, the verifi- 
cation office 30 decrypts the first encrypted por- 
tion of the second encrypted image data 
Eu2(Ea1 (G + U1 +U2+ Ds1(S1)) + S2) and obtains 
data Eu2(G + U1 + U2 + Ds1(S1)) + Da1(Eu2(S2)) . In 
addition, the verification office 30 confirms that the hash 
value for the obtained image matches the hash value 
H1 that was stored by the user U, which is the second 
entity. At this time, the signature for hash value H1 is 
identified. 

[0280] When the hash value for the data 

Eu2(G + U1 + U2 + Ds1 (s)) + Da1 (Eu2(S2)) does not 
match the hash value H1 , it is ascertained, as in proce- 
dure 5) above, that the agency A, which is the first entity, 
committed the illegal act. When the two hash values 
match, as in procedure 6), the verification office 30 
requests the user, who is the second entity, to decrypt 
the second encrypted portion of the data 
Eu2(G + U1 + U2 + Ds(S1)) + Da1(Eu2(S2)) . The sig- 
nature information S2 is extracted from the decrypted 
data. 

[0281 ] When the correct signature information S2 can 
not be extracted, it is ascertained that the user, which is 
the second entity, committed the illegal act. When the 
correct signature information S2 is extracted, however, it 
is ascertained that the agency, which is the first entity, 
committed the illegal act. 
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[0282] As is described above, verification 1 and verifi- 
cation 2 are substantially performed according to the 
same procedures, and only the definitions of the first 
and the second entities need be changed. Also, the 
party that committed the illegal act can be identified in $ 
the same manner. 

[0283] The eleventh embodiment is the same as the 
ninth embodiment in so far as process 1 and process 2 
are independently performed; there is no need for the 
verification office until an illegal image has been discov- 10 
ered, and no illegal act can be committed until an illegal 
image has been discovered; and a verification office is 
not necessarily provided. 

(Twelfth Embodiment) is 

[0284] Fig. 26 is a diagram illustrating a twelfth 
embodiment of the present invention. The same refer- 
ence numerals as are used in Figs. 24 and 25 are also 
to denote components that perform the same process- 20 
ing, and no explanation for them will be given. Accord- 
ing to the twelfth embodiment, with the arrangement of 
the eleventh embodiment, in order for the privacy of a 
user S to be protected, as in the tenth embodiment, the 
user S transmits contract information to an agency A, 25 
together with a public key accompanied by a certificate 
that is issued by a certification office 4, 
[0285] For the embedding process in this embodi- 
ment, the procedures 1) and 2) in the eleventh embodi- 
ment are replaced by the procedures 1) and 2) in the so 
tenth embodiment, and the following procedures are the 
same as those in the eleventh embodiment. This 
embedding process is as effective as that in the tenth 
embodiment when it is applied for the distribution of 
electronic information by the agency to the user. 35 
[0286] While the verification process in this embodi- 
ment is applied to verification 2 in the eleventh embodi- 
ment, there is a difference that will now be described. In 
the twelfth embodiment, as in the tenth embodiment, 
first, in verification 2 for the agency A and the user U the 40 
terminal 10 on the agency side (first entity) extracts user 
information U2' from the illegal image data 
G WW '=G + U1' + U2' + Da2(S1')+ Du(S2') that has 
been discovered. 

[0287] The agency A submits to the certification office 45 
40 the user information U2' and the anonymous public 
key obtained from the contract information, and 
requests the user name that corresponds to the 
public key. When the user information U2 T is not 
extracted, it is ascertained that the agency A com- so 
mitted the illegal act. Further, the first encryption 
is performed for the illegal image data 
G WW ' = G + U1 , + U2'+ Da2(S1') + Du(S2') , and sig- 
nature information S2' is extracted. Since the succeed- 
ing process is the same as verification 2 in the eleventh 55 
embodiment, no further explanation will be given. 
[0288] When the signature information S2' is not 
extracted, it is ascertained that the server S committed 



the illegal act. When the user information U2' is 
extracted, the agency A submits to the certification 
office 40 the user information U2' and the anonymous 
public key obtained from the contract information, and 
requests the user name that corresponds to the public 
key. Then, the agency A, which is the first entity, submits 
to the verification office the illegal image data G^' and 
the extracted user information U2' and requests an 
examination of the user name that corresponds to the 
public key. 

[0289] In the above described embodiments, elec- 
tronic watermark information can be embedded by 
using various methods, such as the well known meth- 
ods described in, for example, "Hiding of Static Picture 
Data Using Pixel Blocks," Shimizu, Numao, Morimoto 
(IBM, Japan), 53rd Information Processing Institute 
National Assembly, IN-11, September 1996; or in 
"Secure Spread Spectrum Watermarking for Multime- 
dia," I.J. Cox, J. Kilian, T Leighton and T. Shamoon 
(NEC), NEC Research Institute Technical Report 95-10. 
[0290] Further, the methods used for the first encryp- 
tion and the second encryption can also be imple- 
mented by employing various methods, such as an 
encryption method for changing the arrangement of bits 
in consonance with an encryption key. 
[0291] In addition, in procedure 2) of the embedding 
process, the hash value and the signature are not 
included in the image data E1(G + U) that is to be 
transmitted to the user terminal 20. However, a hash 
value and its signature can be provided for the data in 
order to determine whether or not a communication 
path has been altered. 

[0292] Furthermore, the first encryption and the sec- 
ond encryption are performed in the electronic water- 
mark information embedding process in order to prevent 
both the server and the user from being notified of the 
information that is stored by the other. However, DES 
(Data Encryption Standard) cryptography or a hash 
function may be employed to prevent wiretapping and 
the alteration of data across a communication path by a 
third party. 

[0293] Furthermore, in the individual embodiments, 
the first entity is in charge of the detection of illegal data 
distribution. However, so long as electronic watermark 
extraction means is provided, any user can detect an 
illegal distribution of data and of user information, even 
though he or she does not know the secret key for the 
first encryption or the second encryption. When an ille- 
gal distribution of data is detected, the user need only 
notify the server for the verification process to be begun. 
Therefore, the detection of illegal distributions is not lim- 
ited to the first entity. 

[0294] The terminal 1 0 of the first entity can embed in 
the image data not only the user information U but also 
other information as needed, such as copyright informa- 
tion and information concerning an image data distribu- 
tion condition. In addition, to embed secret information, 
the server terminal 10 need only perform the embed- 



37 



73 



EP 0 932 208 A2 



74 



ding process after the first encryption, so that in addition 
to the signature information, information that is affected 
by the first encryption can be embedded in the image 
data. The user information U is not always embedded 
before the first encryption, and may be embedded after 
the first encryption (in this case, the detection of the 
user information U can be performed only by the server, 
or by a person who knows the secret key used for the 
first encryption). 

[0295] When the terminal 20 of the second entity is an 
apparatus within which a plurality of users share a 
printer or a terminal, the signature information and the 
second encryption for the second entity may include the 
signature information and the encryption system for the 
printer or terminal that is used in common. 
[0296] The first encrypted information from the server 
terminal 10 may be widely distributed across a network 
or by using a CD-ROM, even without it being requested 
by the user terminal 20 based on the contract informa- 
tion. 

[0297] The signature information S for the second 
entity is not necessarily generated by the public key 
encryption method, but may be information (e.g., a code 
number) that is defined by the user based on the con- 
tracted information. 

[0298] In the United States, to employ encryption for 
40 bits or more, a key management office is required to 
manage an encryption key in order to prevent the unau- 
thorized use of the cryptograph. The verification office, 
therefore, can also serve as a key management office. 
And when the verification office provides advance man- 
agement of the secondary encryption key, the verifica- 
tion office can perform by itself the verification 
processes 1) to 3) by performing the monitoring for an 
illegal image. The first encryption key of the first entity 
may be managed either by the same verification office, 
or by another key management office. And the keys of 
the server and the user may be generated and distrib- 
uted by the key management office. 
[0299] The same encryption process, or a process 
employing a different encryption method or a different 
encryption key, may be performed by the agency for 
processes 1 and 2. 

[0300] When an the illegal act is not committed by the 
server, the server or the author may embed electronic 
watermark information in image data and distribute it to 
the agency, and the agency may embed different elec- 
tronic watermark information and transmit it to the user. 
[0301 ] In addition, instead of a single agency, a plural- 
ity of agencies may be provided hierarchically. In this 
case, a specific agency in charge of the hierarchical 
structure may perform the processing that the agency is 
in charge of, or the individual agencies may perform the 
protocol to specify an agency to be in charge. 
[0302] When only one agency is provided, as is shown 
in Fig. 5, embedding of the user information U1 con- 
cerning the agency can be omitted. 
[0303] As is described above, according to the elec- 



tronic watermark superimposition method and the elec- 
tronic information distribution system in the above 
embodiments, when dependent electronic information 
is to be distributed at least among three entities, an ille- 

5 gal act due to collusion between two entities, several 
combinations of which are available, can be prevented. 
[0304] Embodiments of the present invention can be 
implemented in software Thus the present invention 
provides a storage medium such as a floppy disc storing 

10 such software and a signal carrying the software e.g. 
when downloaded over a network such as the internet. 

Claims 

is 1 . An electronic watermarking method comprising: 

a first step at which a first entity performs a first 
encryption process for the original data; 
a second step at which a second entity, at the 
20 least, either manages or distributes said data 

that are provided by said first encryption and 
embeds an electronic watermark in said data; 
and 

a third step at which a third entity performs a 
25 second encryption process for said data in 

which said electronic watermark has been 
embedded. 

2. An electronic watermark method according to claim 
so 1 , wherein said first step includes at the least a step 
of embedding an electronic watermark before or 
after said first encryption process is performed for 
said original data. 

35 3. An electronic watermark method according to claim 
1, wherein said second step includes at the least a 
step of performing a third encryption process before 
or after said electronic watermark is embedded. 

40 4. An electronic watermark method according to ciai m 
1, further comprising the step of: distributing data 
that at the least is affected by said first encryption 
process or said second encryption process, and in 
which said electronic watermark is embedded. 

45 

5. An electronic watermark method according to claim 
1, further comprising the step of: a certification 
office examining a signature for said third entity 
using an anonymous public key accompanied by a 
so certificate. 



6. An electronic watermark method according to clai m 
1, wherein said second entity includes a plurality of 
entities. 

55 

7. An electronic watermark method according to claim 
1 , wherein information that is to be embedded by 
said second entity is either information concerning 
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said third entity or information concerning data to 
be transmitted. 

8. An electronic watermark method according to claim 

1 , wherein said first step includes a step of embed- 5 
ding an electronic watermark in image data at least 
before or after said first encryption process is per- 
formed for said original data; and wherein informa- 
tion that is to be embedded by an n-th (n £ 1) entity 
is either information concerning an (n+1)th entity or 10 
information concerning data to be transmitted. 

9. An electronic watermark method according to claim 
1 or 2, wherein said process for embedding said 
electronic watermark is a process for not embed- is 
ding information concerning said second entity. 

10. An electronic watermark method according to claim 
1 or 2, wherein said original data are image data. 

20 

11. An electronic information distribution system that 
exchanges data across a network at the least com- 
prising: 

a first entity, including first encryption means, 25 
for performing a first encryption process for the 
original data; 

a second entity, including management distri- 
bution means for, at the least, either managing 
or distributing said data that are provided by so 
said first encryption process, and including 
electronic watermark embedding means for 
embedding an electronic watermark in said 
data; and 

a third entity, including second encryption 35 
means for performing a second encryption of 
said data in which an electronic watermark is 
embedded. 

12. An electronic information distribution system 40 
according to claim 11, wherein said first entity 
includes at the least electronic watermark embed- 
ding means for embedding an electronic watermark 
before or after said first encryption process is per- 
formed for said original data. 45 

13. An electronic information distribution system 
according to claim 1 1 , wherein said second entity 
includes at the least third encryption means for per- 
forming a third encryption process before or after so 
said electronic watermark is embedded. 

14. An electronic information distribution system 
according to claim 1 1 , further comprising: distribu- 
tion means for distributing data that at the least is 55 
affected by said first encryption process or said 
second encryption process, and in which said elec- 
tronic watermark is embedded. 



15. An electronic information distribution system 
according to claim 1 1 , further comprising: verifica- 
tion means for examining a signature for said third 
entity using an anonymous public key accompanied 
by a certificate issued by a certification office. 

16. An electronic information distribution system 
according to claim 1 1 , wherein said second entity 
includes a plurality of entities. 

17. An electronic information distribution system 
according to claim 1 1 , wherein information that is to 
be embedded by said second entity is either infor- 
mation concerning said third entity or information 
concerning data to be transmitted. 

18. An electronic information distribution system 
according to claim 11, wherein said first entity 
includes electronic watermark embedding means 
for embedding an electronic watermark in image 
data at least before or after said first encryption 
process is performed for said original data; and 
wherein electronic watermark embedding means of 
an n-th (n ^ 1) entity embeds said information as 
either information concerning an (n+1)th entity or 
information concerning data to be transmitted. 

19. An electronic information distribution system 
according to claim 1 1 or 12, wherein said electronic 
watermark embedding means does not embed at 
the least information concerning said second entity. 

20. An electronic information distribution system 
according to claim 1 1 , wherein said original data 
are image data. 

21. An image filing apparatus for storing data that are 
generated at the steps of an electronic watermark 
embedding method according to one of claims 1 to 
10. 

22. A storage medium on which the steps of an elec- 
tronic watermark embedding method according to 
one of claims 1 to 10 are stored so that they may be 
read by a computer. 

23. An electronic watermark superimposition method 
comprising the steps of: 

encrypting electronic information and exchang- 
ing the resultant electronic information; 
embedding electronic watermark information in 
said electronic watermark during the encryp- 
tion process; and 

repeating a plurality of times the processing for 
transmitting said electronic information accom- 
panying an electronic watermark, 
whereby said electronic information on which 
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said electronic watermark information is super- 
imposed is transmitted by a first entity and 
delivered via a second entity to a third entity. 

24. An electronic watermark superimposition method 5 
according to claim 23, wherein in said repetitive 
process, before said transmission entity transmits 
said electronic information to said reception entity, 
said transmission entity embeds an electronic 
watermark in electronic information that is w 
encrypted by said reception entity. 

25. An electronic watermark superimposition method 
according to claim 24, wherein, in said repetitive 
process, said reception entity performs a second is 
encryption of electronic information for which said 
transmission entity has performed first encryption, 
which that differs from said second encryption, and 
returns the resultant information to said transmis- 
sion entity, and wherein said transmission entity 20 
decrypts the first encrypted portion of said elec- 
tronic information, and embeds said electronic 
watermark information, 

26. An electronic watermark superimposition method 2s 
according to claim 23, wherein in said repetitive 
process, before said transmission entity transmits 
said electronic information to said reception entity, 
said reception entity embeds an electronic water- 
mark in electronic information that is encrypted by 30 
said transmission entity. 

27. An electronic watermark superimposition method 
according to claim 26, wherein, in said repetitive 
process, said reception entity adds electronic 35 
watermark information electronic information for 
which said transmission entity has performed a first 
encryption, performs a second encryption that dif- 
fers from said first encryption, and returns the 
resultant information to said transmission entity, 40 
and wherein said transmission entity decrypts the 
first encrypted portion of said electronic information 

in which said electronic watermark information is 
embedded, and transmits the resultant information 
to said reception entity. 45 

28. An electronic watermark superimposition method 
according to one of claims 24 to 27, wherein, before 
encrypting said electronic information, said trans- 
mission entity embeds different electronic water- so 
mark information in said electronic information. 

29. An electronic watermark superimposition method 
according to claim 28, wherein information specify- 
ing a reception entity is embedded as said elec- 55 
tronic watermark information. 

30. An electronic watermark superimposition method 



according to one of claims 24 to 29, wherein a sig- 
nature for said reception entity is examined using 
an anonymous public key accompanied by a certifi- 
cate issued by a certification office. 

31. An electronic watermark superimposition method 
according to one of claims 24 to 29, wherein, when 
said third entity serves as a reception entity, a sig- 
nature for said third entity is examined using an 
anonymous public key issued by said certification 
office; and wherein, when said second entity serves 
as a reception entity, a signature for said second 
entity is examined using an anonymous public key 
issued by said certification office. 

32. An electronic information distribution system com- 
prising: 

a first entity in which original electronic informa- 
tion is held, including encryption means for 
encrypting said original electronic information 
and embedding means for embedding an elec- 
tronic watermark in said electronic information 
provided by the encryption process; 
a second entity, including encryption means for 
managing and distributing electronic informa- 
tion received from said first entity and for 
encrypting said electronic information, and 
including embedding means for embedding 
electronic watermark information in said elec- 
tronic information; and 

a third entity, including encryption means for 
encrypting electronic information received from 
said second entity, for employing the resultant 
electronic information. 

33- An electronic information distribution system 
according to claim 32, wherein the same process is 
at the least employed as one part of a first proce- 
dure for transmitting electronic information from 
said first entity to said second entity and as one part 
of a second procedure for the transmission of elec- 
tronic information by said second entity to said third 
entity. 

34. An electronic information distribution system 
according to claim 33, wherein said first and said 
second entities, and said second and said third 
entities encrypt electronic information and 
exchange the encrypted information, and, during 
the processing, embed electronic watermark infor- 
mation. 

35. An electronic information distribution system 
according to claim 33 or 34, wherein in said same 
process, before said transmission entity transmits 
said electronic information to said reception entity, 
said transmission entity embeds an electronic 
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watermark in electronic information that is 
encrypted by said reception entity. 

36. An electronic information distribution system 
according to claim 35, wherein, in said same proc- 5 
ess, said reception entity performs a second 
encryption of electronic information for which said 
transmission entity has performed first encryption, 
which that differs from said second encryption, and 
returns the resultant information to said transmis- io 
sion entity, and wherein said transmission entity 
decrypts the first encrypted portion of said elec- 
tronic information, and embeds said electronic 
watermark information. 

IS 

37. An electronic information distribution system 
according to claim 33 or 34, wherein in said same 
process, before said transmission entity transmits 
said electronic information to said reception entity, 
said reception entity embeds an electronic water- 20 
mark in electronic information that is encrypted by 
said transmission entity 

38. An electronic information distribution system 
according to claim 37, wherein, in said same proc- 25 
ess, said reception entity adds electronic water- 
mark information electronic information for which 
said transmission entity has performed a first 
encryption, performs a second encryption that dif- 
fers from said first encryption, and returns the so 
resultant information to said transmission entity, 
and wherein said transmission entity decrypts the 
first encrypted portion of said electronic information 

in which said electronic watermark information is 
embedded, and transmits the resultant information 35 
to said reception entity. 

39. An electronic information distribution system 
according to one of claims 33 to 38, wherein, in said 
same process, before encrypting said electronic 40 
information said transmission entity embeds differ- 
ent electronic watermark information in said elec- 
tronic information. 

40. An electronic information distribution system 45 
according to one of claims 33 to 39, wherein a sig- 
nature for said reception entity is examined using 

an anonymous public key accompanied by a certifi- 
cate issued by a certification office. 

so 

41. An electronic information distribution system 
according to one of claims 32 to 39, wherein, when 
said third entity serves as a reception entity, a sig- 
nature for said third entity is examined using an 
anonymous public key issued by said certification ss 
office; and wherein, when said second entity serves 

as a reception entity, a signature for said second 
entity is examined using an anonymous public key 



issued by said certification office. 

42. An electronic watermark superimposition method, 
whereby, for the transmission of electronic informa- 
tion to a reception entity by a transmission entity, 
said transmission entity repeats the electronic 
watermark processing performed for electronic 
information that has been encrypted by said recep- 
tion entity, so that electronic information on which 
an electronic watermark has been superimposed 
is, at the least, transmitted by a first entity via a sec- 
ond entity to a third entity. 

43. An electronic watermark superimposition method 
comprising the steps of: 

a transmission entity performing a first encryp- 
tion process for electronic information; 
a reception entity performing for the resultant 
electronic information a second encryption 
process that differs from said first encryption 
process, and returning the obtained electronic 
information to said transmission entity; and 
said transmission entity decrypting said elec- 
tronic information for which said first encryption 
process has been performed, and embedding 
electronic watermark information in said elec- 
tronic information that is decrypted, 
whereby by repeating said steps, said elec- 
tronic information on which said electronic 
watermark information has been superim- 
posed is, at the least, transmitted by a first 
entity via a second entity to a third entity. 

44. An electronic information distribution system com- 
prising: 

a first entity, whereat original electronic infor- 
mation is held; 

a second entity, for managing and distributing 
electronic information received from said first 
entity; and 

a third entity, for employing said electronic 
information received from said second entity, 
wherein for transmission of electronic informa- 
tion by a transmission entity to a reception 
entity, said transmission entity repeats the 
processing for embedding an electronic water- 
mark in electronic information, so that elec- 
tronic information in which electronic 
watermark information is embedded is, at the 
least, is transmitted by said first entity via said 
second entity to said third entity. 

45. An electronic information distribution system com- 
prising: 

a first entity, whereat original electronic infor- 
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mation is held; 
a second entity, for managing and distributing 
electronic information received from said first 
entity; and 

a third entity, for employing said electronic s 
information received from said second entity, 
wherein a reception entity performs a second 
encryption process for electronic information 
for which a transmission entity has performed a 
first encryption process that differs from said 10 
second encryption process, and returns the 
resultant electronic information to said trans- 
mission entity, 

wherein said transmission entity decrypts elec- 
tronic information for which said first encryption 15 
process has been performed, and embeds said 
electronic watermark information in the result- 
ant electronic information, and 
wherein by repeating said processing, elec- 
tronic information on which electronic water- 20 
mark information is superimposed is, at the 
least, transmitted by said first entity via said 
second entity to said third entity. 

46. An electronic watermarking method comprising the 25 
steps of: 

employing a plurality of means or entities to 
perform distributed processing for the encryp- 
tion and for the embedding of an electronic so 
watermark; and 

employing additional means or entities to 
examine the legality of, at the least, either the 
encryption processing or the processing for 
embedding an electronic watermark that is per- 35 
formed by said plurality of means or entities. 

47. An electronic watermarking method according to 
claim 46, wherein said plurality of means or entities 
are: 40 

a first entity including first encryption means; 
a second entity, including electronic watermark 
embedding means, for managing and distribut- 
ing data received from said first entity; and 45 
a third entity, including second encryption 
means, for employing data in which is embed- 
ded an electronic watermark. 

48. An electronic watermarking method according to so 
claim 46, wherein said plurality of means or entities 
are: 

a first entity, including first encryption means; 
a second entity, including electronic watermark 55 
embedding means, for managing and distribut- 
ing data received from said first entity; and 
a third entity, including electronic watermark 
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embedding means and second encryption 
means, for employing data in which is embed- 
ded an electronic watermark. 

49. An electronic watermarking method according to 
claim 46, wherein said plurality of means or entities 
are: 

a first entity, including electronic watermark 
embedding means and first encryption means; 
a second entity, including electronic watermark 
embedding means, for managing and distribut- 
ing data received from said first entity; and 
a third entity, including second encryption 
means, for employing data in which is embed- 
ded an electronic watermark. 

50. An electronic watermarking method according to 
claim 46, wherein said plurality of means or entities 
are: 

a first entity, including electronic watermark 
embedding means and first encryption means; 
a second entity, including at the least one of 
electronic watermark embedding means, first 
encryption means, and second encryption 
means, for managing and distributing data 
received from said first entity; and 
a third entity, including electronic watermark 
embedding means and second encryption 
means, for employing data in which is embed- 
ded an electronic watermark. 

51. An electronic watermarking method according to 
one of claims 46 to 50, wherein said entities encrypt 
data in which an electronic watermark is embed- 
ded. 

52. An electronic watermarking method according to 
one of claims 46 to 50, wherein said entities embed 
an electronic watermark in data that is encrypted. 

53. An electronic watermarking method according to 
one of claims 46 to 50, wherein said second entity 
embeds an electronic watermark in data for which 
the first encryption is performed by said first entity. 

54. An electronic watermarking method according to 
claim 47, wherein said second entity embeds an 
electronic watermark in data for which the first 
encryption is performed by said first entity and in 
data for which the second encryption is performed 
by said third entity. 

55. An electronic watermarking method according to 
claim 54, wherein said second entity outputs a 
value obtained by transforming the second 
encrypted data using a unidirectional function. 
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56. An electronic watermarking method according to 
claim 55, wherein said second entity transmits to 
said fourth entity a value obtained by a transforma- 
tion using the unidirectional function. 

5 

57. An electronic watermarking method according to 
one of claims 47 to 55, wherein, together with said 
second encrypted data, said third entity outputs a 
value that is obtained by transforming said second 
encrypted data using the unidirectional function. 10 

58. An electronic watermarking method according to 
claim 57, wherein said third entity transmits to said 
fourth entity a value obtained by a transformation 
using the unidirectional function. 15 

59. An electronic watermarking method according to 
one of claims 47 to 50, wherein said third entity 
receives information for which the first encryption is 
performed in advance, and performs a second 20 
encryption of the received information. 

60. An electronic watermarking method according to 
one of claims 47 to 50, wherein said fourth entity is 
capable of performing a decryption that corre- 25 
sponds to said second encryption. 

61. An electronic watermarking method according to 
one of claims 47 to 50, wherein said fourth entity 
includes means for managing an encryption key. 30 

62. An electronic watermarking method according to 
claim 61 , wherein, in order to verify the legality of at 
the least said electronic watermark and said 
encryption process, said fourth entity decrypts data 35 
that are encrypted while an electronic watermark is 
embedded therein and that are output by a different 
entity. 

63. An electronic watermarking method according to 40 
claim 61 or 62, wherein, in order to verify the legal- 
ity of at the least said electronic watermark and said 
encryption process, said fourth entity compares, 
with a value output by said different entity, said data 
that are encrypted while an electronic watermark is 45 
embedded therein and that are output by said differ- 
ent entity. 

64. An electronic information distribution system, which 
exchanges digital data across a network system so 
constituted by a plurality of entities, comprising: 

a first entity, including first data encryption 
means; 

a second entity, including electronic watermark 55 
embedding means, for managing and distribut- 
ing data received from said first entity; 
a third entity, including second encryption 



means, for employing data in which an elec- 
tronic watermark has been embedded; and 
a fourth entity for examining the legality of, at 
the least, either the encryption processing or 
the electronic watermark embedding process 
performed by said first to said third entities. 

65. An electronic information distribution system, which 
exchanges digital data across a network system 
constituted by a plurality of entities, comprising: 

a first entity, including first data encryption 
means; 

a second entity, including electronic watermark 
embedding means, for managing and distribut- 
ing data received from said first entity; 
a third entity, including electronic watermark 
embedding means and second encryption 
means, for employing data in which an elec- 
tronic watermark has been embedded; and 
a fourth entity for examining the legality of, at 
the least, either the encryption processing or 
the electronic watermark embedding process 
performed by said first to said third entities. 

66. An electronic information distribution system, which 
exchanges digital data across a network system 
constituted by a plurality of entities, comprising: 

a first entity, including electronic watermark 
embedding means and first data encryption 
means; 

a second entity, including electronic watermark 
embedding means, for managing and distribut- 
ing data received from said first entity; 
a third entity, including second encryption 
means, for employing data in which an elec- 
tronic watermark has been embedded; and 
a fourth entity for examining the legality of, at 
the least, either the encryption processing or 
the electronic watermark embedding process 
performed by said first to said third entities. 

67. An electronic information distribution system, which 
exchanges digital data across a network system 
constituted by a plurality of entities, comprising: 

a first entity, including electronic watermark 
embedding means and first data encryption 
means; 

a second entity, including, at the least, one of 
electronic watermark embedding means, a first 
encryption means and a second encryption 
means, for managing and distributing data 
received from said first entity; 
a third entity, including electronic watermark 
embedding means and second encryption 
means, for employing data in which an elec- 
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tronic watermark has been embedded; and 
a fourth entity for examining the legality of, at 
the least, either the encryption processing or 
the electronic watermark embedding process 
performed by said first to said third entities. 5 

68. An electronic information distribution system 
according to one of claims 64 to 67, wherein said 
fourth entity for performing verification is capable of 
performing a decryption that corresponds to said to 
second encryption, 

69. An electronic information distribution system 
according to claim 66 or 67, wherein said electronic 
watermark information to be embedded by said first is 
entity includes information concerning said third 
entity. 

70. An electronic information distribution system 
according to claim 66 or 67, wherein said electronic 20 
watermark information to be embedded by said first 
entity includes information concerning digital data 

to be transmitted. 

71. An electronic information distribution system 25 
according to one of claims 64 to 67, wherein said 
electronic watermark information to be embedded 

by said second entity includes information concern- 
ing said third entity. 

30 

72. An electronic information distribution system 
according to claim 65 or 67, wherein said electronic 
watermark information to be embedded by said 
third entity includes information that only said third 
entity is capable of preparing. 35 

73. An electronic information distribution system 
according to claim 65 or 67, wherein said first entity 
embeds said electronic watermark after verifying a 
signature for said third entity by using an anony- 40 
mous public key accompanied by a certificate that 

is issued by a certification office. 

74. An electronic information distribution system 
according to one of claims 64 to 67, wherein said 45 
second entity embeds said electronic watermark 
after verifying a signature for said third entity by 
using an anonymous public key accompanied by a 
certificate that is issued by a certification office. 

so 

75. A signal carrying data watermarked according to 
the method of any one of claims 1 to 10, 23 to 31 , 
43 or 46 to 63. 

76. A signal carrying processor impiemerrtable instruc- 55 
tions for controlling a processor to carry out the 
method of any one of claims 1 to 10, 23 to 31, 43, 

or 46 to 63. 
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